Results 1 to 5 of 5

Thread: External LDAP authentication - failover

  1. #1
    JoshUCSC is offline Member
    Join Date
    Jan 2009
    Posts
    12
    Rep Power
    6

    Default External LDAP authentication - failover

    All,

    I have 3 external LDAP servers for my domain, and I'd like Zimbra to be able to use all of them for authentication. Ideally, I'd like Zimbra to round-robin the queries between the 3 servers like the rest of my LDAP clients do, but I can live with "try the first, then fall back to the second, then the third" behavior. I have configured the Zimbra external authentication with my 3 servers, but when I put in an iptables rule to simulate a failure of my first LDAP server, authentication in Zimbra just times out waiting for the response from the first. Is there some directive I'm missing to get failover and/or round-robin working?

    Thanks!

    Josh

  2. #2
    heinzg is offline Loyal Member
    Join Date
    Jan 2008
    Location
    Germany
    Posts
    83
    Rep Power
    7

    Default

    Hi,

    Would you not be able to do this with DNS Round Robin....
    But that would mean that the the client would have to try reconnect on failure, which I take it is not happening.

    Cheers
    Heinzg
    Motions of a day at work -

  3. #3
    JoshUCSC is offline Member
    Join Date
    Jan 2009
    Posts
    12
    Rep Power
    6

    Default

    Zimbra has the option to add additional external authentication URLs. Should I be using DNS round robin and entering my single round robin host? Or should I use the additional URLs?

    The specific problem is that when my first configured LDAP server URL is not available, the client sees an authentication failure error (after what appears to be a timeout delay) when connecting either via the web interface or via IMAP.

    Regards,

    Josh

  4. #4
    y@w's Avatar
    y@w
    y@w is offline Moderator
    Join Date
    Jan 2008
    Posts
    658
    Rep Power
    8

    Default

    Quote Originally Posted by JoshUCSC View Post
    Zimbra has the option to add additional external authentication URLs. Should I be using DNS round robin and entering my single round robin host? Or should I use the additional URLs?

    The specific problem is that when my first configured LDAP server URL is not available, the client sees an authentication failure error (after what appears to be a timeout delay) when connecting either via the web interface or via IMAP.

    Regards,

    Josh
    DNS round-robin wouldn't really help as the record would get cached and you would have to take the failed host out of DNS, flush the cache, and re-query in order to get up and running again in a failure.

    You may want to do something more like HAProxy on your LDAP hosts so it handles the load-balancing and fail-over for you. Then, Zimbra and other applications that use those LDAP servers only have to look to one hostname/IP.


    It looks like there is some sort of LDAP auth failover built into Zimbra (Bug 21866 – Configurable LDAP connection timeout for GAL and Auth), but maybe there's a bug with the failover? Also, I'm not sure if Zimbra marks a host as 'dead' when it finally does time out and stops trying that host on subsequent requests or how that is handled.

  5. #5
    JoshUCSC is offline Member
    Join Date
    Jan 2009
    Posts
    12
    Rep Power
    6

    Default

    I just used iptables to simulate a failure of my primary LDAP server, and tried to log in to my zimbra server's web interface. I got this error message after about 60 seconds:

    ???remote.TIMEOUT???

    It seems like I've got different behavior than the bug. :-(

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [SOLVED] External LDAP Authentication failover
    By lwhite in forum Administrators
    Replies: 2
    Last Post: 10-15-2008, 12:51 PM
  2. The Mysteries of External LDAP Authentication
    By bubarooni in forum Installation
    Replies: 7
    Last Post: 05-21-2008, 02:07 PM
  3. External LDAP authentication problem
    By mchamboredon in forum Installation
    Replies: 2
    Last Post: 01-16-2008, 10:02 AM
  4. External LDAP Authentication Issue
    By xtreme-one in forum Installation
    Replies: 10
    Last Post: 02-16-2007, 07:52 PM
  5. Authentication to external ldap stop working.
    By jahaj in forum Installation
    Replies: 3
    Last Post: 12-05-2006, 03:17 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •