External LDAP authentication - failover

[JoshUCSC]

All,

I have 3 external LDAP servers for my domain, and I'd like Zimbra to be able to use all of them for authentication. Ideally, I'd like Zimbra to round-robin the queries between the 3 servers like the rest of my LDAP clients do, but I can live with "try the first, then fall back to the second, then the third" behavior. I have configured the Zimbra external authentication with my 3 servers, but when I put in an iptables rule to simulate a failure of my first LDAP server, authentication in Zimbra just times out waiting for the response from the first. Is there some directive I'm missing to get failover and/or round-robin working?

Thanks!

Josh

[heinzg]

Hi,

Would you not be able to do this with DNS Round Robin....
But that would mean that the the client would have to try reconnect on failure, which I take it is not happening.

Cheers
Heinzg

[JoshUCSC]

Zimbra has the option to add additional external authentication URLs. Should I be using DNS round robin and entering my single round robin host? Or should I use the additional URLs?

The specific problem is that when my first configured LDAP server URL is not available, the client sees an authentication failure error (after what appears to be a timeout delay) when connecting either via the web interface or via IMAP.

Regards,

Josh

[y@w]

Quote:

Originally Posted by JoshUCSC

Zimbra has the option to add additional external authentication URLs. Should I be using DNS round robin and entering my single round robin host? Or should I use the additional URLs?

The specific problem is that when my first configured LDAP server URL is not available, the client sees an authentication failure error (after what appears to be a timeout delay) when connecting either via the web interface or via IMAP.

Regards,

Josh

DNS round-robin wouldn't really help as the record would get cached and you would have to take the failed host out of DNS, flush the cache, and re-query in order to get up and running again in a failure.

You may want to do something more like HAProxy on your LDAP hosts so it handles the load-balancing and fail-over for you. Then, Zimbra and other applications that use those LDAP servers only have to look to one hostname/IP.


It looks like there is some sort of LDAP auth failover built into Zimbra (Bug 21866 – Configurable LDAP connection timeout for GAL and Auth), but maybe there's a bug with the failover? Also, I'm not sure if Zimbra marks a host as 'dead' when it finally does time out and stops trying that host on subsequent requests or how that is handled.

[JoshUCSC]

I just used iptables to simulate a failure of my primary LDAP server, and tried to log in to my zimbra server's web interface. I got this error message after about 60 seconds:

???remote.TIMEOUT???

It seems like I've got different behavior than the bug. :-(