External LDAP overload : How to cache ldap authentications ?

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
vdagost-fr
Posts: 43
Joined: Mon Apr 11, 2016 11:59 am

External LDAP overload : How to cache ldap authentications ?

Postby vdagost-fr » Tue Oct 17, 2017 12:21 pm

Hello,

I run a Zimbra 8.7.3 platform with 11K users using Thunderbird and ActiveSync.

Our OpenLDAP server is overload by BIND operations from Zimbra stores (8 stores).

How to, server side, limit or cache ldap authentications ?

Regards,
Victor


vdagost-fr
Posts: 43
Joined: Mon Apr 11, 2016 11:59 am

Re: External LDAP overload : How to cache ldap authentications ?

Postby vdagost-fr » Wed Oct 18, 2017 8:27 am

Hello,

Any idea ?

Victor
phoenix
Ambassador
Ambassador
Posts: 26699
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: External LDAP overload : How to cache ldap authentications ?

Postby phoenix » Wed Oct 18, 2017 8:51 am

Why do you not use LDAP replicas or LDAP MMR?
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 2187
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 8.8.15 Network Edition
Contact:

Re: External LDAP overload : How to cache ldap authentications ?

Postby L. Mark Stone » Wed Oct 18, 2017 1:43 pm

vdagost-fr wrote:Hello,

I run a Zimbra 8.7.3 platform with 11K users using Thunderbird and ActiveSync.

Our OpenLDAP server is overload by BIND operations from Zimbra stores (8 stores).

How to, server side, limit or cache ldap authentications ?

Regards,
Victor


Hi Victor,

As Phoenix advised, you'd be better off using multiple LDAP servers to handle the load. But your subject line says "External OpenLDAP servers" so not clear if you are talking about Zimbra LDAP servers or if you have Zimbra authenticating truly to an external OpenLDAP server.

If it's all Zimbra LDAP, I'd suggest configuring two more LDAP servers, as traditional LDAP replicas (do not use LDAP MMR).

On your mailbox stores, the localconfig variable ldap_master_url directs the mailbox server to the LDAP server for writes. The localconfig variable ldap_url controls which LDAP servers the mailbox servers will use for reads. Essentially, the strategy is to keep the write traffic (not a lot, except for ephemeral data) on the master, and keep all the read (auth traffic) requests on the replicas.

If you need help setting up LDAP replication, just post (there are plenty of wiki articles plus the Admin Guide). But assuming you can get LDAP replicas setup on your own, then once you are done things could look like this:

LDAP Servers:
ldap-master.yourdomain.tld
ldap-replica1.yourdomain.tld
ldap-replica2.yourdomain.tld

On your your first four mailbox servers:
ldap_master_url = ldap://ldap-master.yourdomain.tld:389
ldap_url = ldap-replica1.yourdomain.tld:389 ldap-replica2.yourdomain.tld:389 ldap://ldap-master.yourdomain.tld:389

One the second block of four mailbox servers:
ldap_master_url = ldap://ldap-master.yourdomain.tld:389
ldap_url = ldap-replica2.yourdomain.tld:389 ldap-replica1.yourdomain.tld:389 ldap://ldap-master.yourdomain.tld:389

If you do have external OpenLDAP, you'll need to beef up your external OpenLDAP environment, but when you configure Domain Authentication within Zimbra, you can add more external servers.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
vdagost-fr
Posts: 43
Joined: Mon Apr 11, 2016 11:59 am

Re: External LDAP overload : How to cache ldap authentications ?

Postby vdagost-fr » Wed Oct 18, 2017 2:41 pm

Hello,

The internal Zimbra openldap servers are fine.

It is an external OpenLDAP server, used for authentication, which is overloaded.

I was thinking Zimbra may have a caching mecanism like saslauthd.
If not I think the best solution is to set an openldap cluster to manage authentication (Zimbra is not the only on service using the external OpenLDAP).

Regards,
Victor

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 16 guests