Zimbra LDAP cache / replication?

[batfastad]

Hi everyone

I've just started messing about with the NE trial, we're a small business of 12 users.
I've got my eyes on some pretty cool zimlets to integrate our intranet database system (apache/php/mysql) but I'm looking to set up our intranet so Apache auths against Zimbra's LDAP service. I've heard this should be possible as there's a few Apache LDAP modules out there.

But here's my question... if the Zimbra box fails for any reason, or the LDAP service stops, then users won't be able to access our intranet DB.

Is there a way I can set up another machine (VM) just to act as an LDAP cache in case Zimbra goes down for whatever reason?

Cheers, B

[veronica]

You can install a replica server and have a load balancer handling the requests. If one server goes down other will still answer queries.

[batfastad]

Sounds a bit overkill for our usage.
I was just wondering if there's anyway to just have a small VM running OpenLDAP to replica/cache the Zimbra OpenLDAP.
I'll probably leave it alone then as I don't fancy setting up a whole additional Zimbra machine just for that. We're only a small business of 12 users.

Cheers, B

[veronica]

> I was just wondering if there's anyway to just have a small VM running OpenLDAP to replica/cache the Zimbra OpenLDAP.

This is same as setting replica server as i mentioned. Unless you setup replica with syncprov, its hard for me to understand how you will carry out replication.

[LMStone]

I was just wondering if there's anyway to just have a small VM running OpenLDAP to replica/cache the Zimbra OpenLDAP.

We're only a small business of 12 users.

Cheers, B

Veronica's suggestion to have a load balancer may be overkill for you, but her suggestion to set up a Zimbra LDAP replica server I think may be just what you need.

It's easy to set up and maintain (much more so than a plain OpenLDAP replica), and having a separate LDAP replica for your Apache server to query will also give you more flexibility for firewalling the LDAP replica away from the Apache server.

Hope that helps,
Mark

[batfastad]

Ok this is interesting. So would I just go through a normal Zimbra install, but only choosing Zimbra LDAP?
How do I then set that as a replica/backup?

Turns out this all might be in vain as I'm struggling to get Apache to auth against our Zimbra server. Pretty sure I'm constructing the LDAP url incorrectly.
Once I've got that going then I'll look into creating the replica server

Cheers, B

[LMStone]

The Zimbra Multi-Server Guide has a whole section devoted to configuring LDAP replication...

Hope that helps,
Mark

[batfastad]

Hi guys

Sorry to resurrect a really old thread, but I'm finally getting round to possibly going for this. Sounds like a great solution to be able to auth Apache/PHP and ProFTPD against a Zimbra LDAP replica. Not for single sign-on as such, but at least so users can use the same credentials.

A quick question...

Currently our Zimbra server has LDAPS activated, so LDAP is running on port 636.
After reading this Wikipedia entry for LDAP... LDAP - Wikipedia, the free encyclopedia

A common alternate method of securing LDAP communication is using an SSL tunnel. This is denoted in LDAP URLs by using the URL scheme "ldaps". The default port for LDAP over SSL is 636. The use of LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never standardized in any formal specification. This usage has been deprecated along with LDAPv2, which was officially retired in 2003.

From reading the official docs and the wiki it seems like the replication setup process creates SSH keys for the replication anyway, so all should be secure between the 2 servers.

As it goes both servers will be on our LAN. The only reason I changed our Zimbra machine to LDAPS was so I could try Thunderbird auto-complete from an LDAP directory for remote users. Turns out the settings were a pain to get users to configure themselves so I never really took it any further.

So should I ditch the current LDAP SSL setting before trying to mess about with replication?

Cheers, B

[batfastad]

Hi guys

I was just about try disabling LDAPS on our zimbra server.
Found this guide in the wiki... How to enable ldaps - Zimbra :: Wiki

So do I just need to change those commands to read:

Code:

su - zimbra
zmlocalconfig -e ldap_master_url=ldap://mymaster.somewhere.com:389
zmlocalconfig -e ldap_url=ldap://myreplica.somewhere.com:389
zmlocalconfig -e ldap_starttls_supported=0
zmlocalconfig -e ldap_port=389

What should I change ldap_starttls_supported to?
Do I need to set ldap_url even if I don't have a replica?

Cheers, B

[batfastad]

Took a gamble and changed...
ldap_url to be the same as ldap_master_url
ldap_starttls_supported = 1

LDAP seemed to restart ok after that.
So hopefully LDAPS should now be disabled, which I feel is better since it was never part of an official standard anyway.

Now on to LDAP replication.

Cheers, B