Results 1 to 8 of 8

Thread: Multi server installation with LDAP replication

  1. #1
    Join Date
    Sep 2012
    Posts
    9
    Rep Power
    3

    Post Multi server installation with LDAP replication

    Hi everybody,

    I am new here at the Zimbra community, and I am trying to achieve a multi server installation with Zimbra open source edition on centos (I know, not supported, but I still want to use centos.)
    Code:
    [zimbra@mailbox01 ~]$ zmcontrol -v
    Release 7.2.0_GA_2669.RHEL6_64_20120410002025 CentOS6_64 FOSS edition.
    I have four servers :
    • mailbox01 : ldap, logger, snmp, store, spell, memcached and apache
    • mailbox02 : ldap, snmp, store, spell, memcached and apache
    • mta01 : mta, snmp, proxy, memcached
    • mta02 : mta, snmp, proxy, memcached

    mailbox01 is the master ldap server, and mailbox02 is the replica. mta01 and mta02 points toward mailbox01 for the authentication (ldap).
    So far, I have a working infrastructure i.e on the admin console, I have everything in green in the server status tab (it took me a while to have it working properly though) and I can send email between users, etc.

    mta01 and mta02 will be the front-end servers of the infrastructure (behind a load balancer), while mailbox01 and mailbox02 will be on a secure zone.

    What I want to achieve :
    • Normal mode, mta01 and mta02 work with mailbox01 for authentication.
    • Fail mode 1, mailbox01 is down, both mta01 and mta02 work now with mailbox02 (with only read access of course)
    • Fail mode 2, mailbox02 is down, equivalent to the normal mode.

    However, I have a blocking point here. I cannot figure out how to configure on the mta servers two LDAP servers. I thought it would be in the local config "ldap_url" :
    Code:
    ldap_url = ldap://mailbox02:389 ldap://mailbox01:389
    When I edit this attribute on mta01 and mta02, then restart the server, I have an error message stating that it cannot contact the LDAP server and reads data from the cache. I cannot send emails anymore, and I cannot revert the configuration to what it used to be before.

    Is it possible to do what I want to do ? If so, what should I do to make it work ?

    Hope I have been clear enough (english is not my mother tongue) :-)

    Sincerely yours,

    tpouzet.

  2. #2
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    Please check the value for ldap_master_url in localconfig, which should point to just the LDAP master, as in:

    Code:
    ldap_master_url = ldap://mailbox01:389
    Hope that helps!
    Mark

  3. #3
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,322
    Rep Power
    13

    Default

    Use FQDN, check your DNS (looks like a triple split DNS because of the three subnets), check your firewalls/routing rules.
    Master LDAP must be at the end of the list (ldap_url).

    Considering your setup, if one of the mailbox server is down, half (or so) of your users won't be able to connect anyway.

    The servers hammering the LDAP are mostly the MTA servers, why not setting up a replica "alone" (not running on a mailbox server), used by the MTA servers (in normal mode and let them use the master in degraded mode)?

    On a side note:
    What is the use of the memcached service on the mailbox/LDAP servers? AFAIK it's used by zimbra-proxy only.
    What is the outgoing mailflow from the mailbox servers?

  4. #4
    Join Date
    Sep 2012
    Posts
    9
    Rep Power
    3

    Default

    Hi LMStone, I do have this value in the ldap_master_url item, I just checked. (I never touched this item, but during my previous tests I noticed that some times it gets erased when I touch other parts of the LDAP configuration with the zmlocalconfig tool...)

    Klug, I think all the items you listed are working :
    • FQDN : I do use FQDN but I removed the trailing part to keep just the hostname in my post
    • DNS : I had some issues when sending emails at first, but this was because of DNS issues. I have a DNS server located on mailbox01 (for the tests) fully working
    • Firewalling : I placed all my servers on the same LAN to avoid them at first. One step at a time : first, a working infrastructure, next, a secured one...

    The servers hammering the LDAP are mostly the MTA servers, why not setting up a replica "alone" (not running on a mailbox server), used by the MTA servers (in normal mode and let them use the master in degraded mode)?
    Regarding the architecture, this was not my decision on the first time, but I am open to any suggestion as I am kind of a newbee with Zimbra...This architecture could be good, but we have the exact same problem as the one I stated on my first thread : I do not know how to configure the mta's to contact one LDAP server at first, and contact another one next if the first LDAP server fails to respond.

    Considering your setup, if one of the mailbox server is down, half (or so) of your users won't be able to connect anyway.
    Well, the load balancer will redirect the requests toward the other mailbox server, everybody will have a degraded service, but it will *work* for everyone.

    What is the use of the memcached service on the mailbox/LDAP servers? AFAIK it's used by zimbra-proxy only.
    I did not understood that only the proxy was using memcached, thank's for the info !

    What is the outgoing mailflow from the mailbox servers?
    We have a SMTP server hosted somewhere in an ISP, this part is not configured yet.

    Thank you both of you for your answers !

    EDIT : FYI, I strictly followed this tutorial to set up the LDAP replication :
    LDAP Replication Installation
    When applying the final configuration, I have this error message :
    Code:
    [zimbra@mta01 ~] zmcontrol start
    Host mta01
    Unable to determine enabled services from ldap.
    Enabled services read from cache. Service list may be inaccurate.
    Starting ZMconfigd...Done.
    [...]

  5. #5
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by tpouzet View Post
    :
    Code:
    [zimbra@mta01 ~] zmcontrol start
    Host mta01
    Unable to determine enabled services from ldap.
    Enabled services read from cache. Service list may be inaccurate.
    Starting ZMconfigd...Done.
    [...]
    That would indicate that it can't lookup the DNS name of you server, you either have a DNS problem or an incorrect /etc/hosts file.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  6. #6
    Join Date
    Sep 2012
    Posts
    9
    Rep Power
    3

    Default

    On each server I have a /etc/hosts files that looks like the following with nameofserver being mta01, mta02, mailbox01 or mailbox02 depending on where we are:
    Code:
    192.168.0.x nameofserver.office.foo.bar
    (I read that I must have only the FQDN inside this file)

    I also have configured a DNS server (named) in mailbox01, and configured on in every servers the/etc/resolv.conf file with the IP address inside being mailbox01's IP address :
    Code:
    nameserver 192.168.0.1
    Furthermore, nslookup and dig seems to work file :
    Code:
    [root@mta01 ~]# nslookup mailbox01.office.foo.bar
    Server:         192.168.0.1
    Address:        192.168.0.1#53
    
    Name:   mailbox01.office.foo.bar
    Address: 192.168.0.1
    Code:
    [root@mta01 ~]# dig mailbox01.office.foo.bar
    ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.2 <<>> mailbox01.office.foo.bar
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35292
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
    
    ;; QUESTION SECTION:
    ;mailbox01.office.foo.bar.     IN      A
    
    ;; ANSWER SECTION:
    mailbox01.office.foo.bar. 86400 IN     A       192.168.0.1
    
    ;; AUTHORITY SECTION:
    foo.bar.            86400   IN      NS      dns.office.foo.bar.
    
    ;; ADDITIONAL SECTION:
    dns.office.foo.bar.    86400   IN      A       192.168.0.1
    
    ;; Query time: 0 msec
    ;; SERVER: 192.168.0.1#53(192.168.0.1)
    ;; WHEN: Mon Sep 10 14:20:58 2012
    ;; MSG SIZE  rcvd: 93
    Code:
    [root@mta01 ~]# dig mailbox02.office.foo.bar
    ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.2 <<>> mailbox02.office.foo.bar
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16162
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
    
    ;; QUESTION SECTION:
    ;mailbox02.office.foo.bar.     IN      A
    
    ;; ANSWER SECTION:
    mailbox02.office.foo.bar. 86400 IN     A       192.168.0.2
    
    ;; AUTHORITY SECTION:
    foo.bar.            86400   IN      NS      dns.office.foo.bar.
    
    ;; ADDITIONAL SECTION:
    dns.office.foo.bar.    86400   IN      A       192.168.0.1
    
    ;; Query time: 0 msec
    ;; SERVER: 192.168.0.1#53(192.168.0.1)
    ;; WHEN: Mon Sep 10 14:25:40 2012
    ;; MSG SIZE  rcvd: 93
    Where did I got wrong here ? It seems to work like a charm

  7. #7
    Join Date
    Sep 2012
    Posts
    9
    Rep Power
    3

    Default

    I fixed my problem, although I feel there is something weird there. When I installed the servers, I had errors stating that I had to fix my /etc/hosts file. They were on the format :
    Code:
    192.168.0.x nameofserver nameofserver.office.foo.bar
    So I did some tests, and I could make it work by having the following format (notice the nameofserver attribute missing):
    Code:
    192.168.0.x nameofserver.office.foo.bar
    However, both those syntax are wrong, even if I could successfully install the servers. Here is what I should have had since the beginning :
    Code:
    192.168.0.x nameofserver.office.foo.bar nameofserver
    Now I do not have the errors when starting the MTA's.

  8. #8
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    The installation guide points out that /etc/hosts must contain at a minimum

    Code:
    127.0.0.1  localhost.localdomain localhost
    192.168.0.x  nameofserver.office.foo.bar nameofserver
    Sorry you spent so much time discovering that by trial and error, but glad it is working for you now.

    Mark

Similar Threads

  1. Replies: 5
    Last Post: 04-27-2012, 10:40 AM
  2. [SOLVED] problem install ldap replication server
    By petree in forum Installation
    Replies: 4
    Last Post: 10-21-2009, 04:20 AM
  3. Replies: 3
    Last Post: 04-14-2009, 05:07 PM
  4. Multi Server Installation
    By rsharpe in forum Installation
    Replies: 6
    Last Post: 07-11-2007, 09:53 PM
  5. How to disable LDAP replication on the master server
    By jpawlyn in forum Administrators
    Replies: 0
    Last Post: 04-29-2007, 10:03 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •