Results 1 to 10 of 10

Thread: Zimbra LDAP cache / replication?

  1. #1
    batfastad is offline Elite Member
    Join Date
    Aug 2007
    Location
    London, UK
    Posts
    297
    Rep Power
    8

    Default Zimbra LDAP cache / replication?

    Hi everyone

    I've just started messing about with the NE trial, we're a small business of 12 users.
    I've got my eyes on some pretty cool zimlets to integrate our intranet database system (apache/php/mysql) but I'm looking to set up our intranet so Apache auths against Zimbra's LDAP service. I've heard this should be possible as there's a few Apache LDAP modules out there.

    But here's my question... if the Zimbra box fails for any reason, or the LDAP service stops, then users won't be able to access our intranet DB.

    Is there a way I can set up another machine (VM) just to act as an LDAP cache in case Zimbra goes down for whatever reason?

    Cheers, B

  2. #2
    veronica is offline Outstanding Member
    Join Date
    Jun 2008
    Posts
    594
    Rep Power
    8

    Default

    You can install a replica server and have a load balancer handling the requests. If one server goes down other will still answer queries.

  3. #3
    batfastad is offline Elite Member
    Join Date
    Aug 2007
    Location
    London, UK
    Posts
    297
    Rep Power
    8

    Default

    Sounds a bit overkill for our usage.
    I was just wondering if there's anyway to just have a small VM running OpenLDAP to replica/cache the Zimbra OpenLDAP.
    I'll probably leave it alone then as I don't fancy setting up a whole additional Zimbra machine just for that. We're only a small business of 12 users.

    Cheers, B

  4. #4
    veronica is offline Outstanding Member
    Join Date
    Jun 2008
    Posts
    594
    Rep Power
    8

    Default

    > I was just wondering if there's anyway to just have a small VM running OpenLDAP to replica/cache the Zimbra OpenLDAP.

    This is same as setting replica server as i mentioned. Unless you setup replica with syncprov, its hard for me to understand how you will carry out replication.

  5. #5
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    10

    Default

    Quote Originally Posted by batfastad View Post

    I was just wondering if there's anyway to just have a small VM running OpenLDAP to replica/cache the Zimbra OpenLDAP.

    We're only a small business of 12 users.

    Cheers, B
    Veronica's suggestion to have a load balancer may be overkill for you, but her suggestion to set up a Zimbra LDAP replica server I think may be just what you need.

    It's easy to set up and maintain (much more so than a plain OpenLDAP replica), and having a separate LDAP replica for your Apache server to query will also give you more flexibility for firewalling the LDAP replica away from the Apache server.

    Hope that helps,
    Mark

  6. #6
    batfastad is offline Elite Member
    Join Date
    Aug 2007
    Location
    London, UK
    Posts
    297
    Rep Power
    8

    Default

    Ok this is interesting. So would I just go through a normal Zimbra install, but only choosing Zimbra LDAP?
    How do I then set that as a replica/backup?

    Turns out this all might be in vain as I'm struggling to get Apache to auth against our Zimbra server. Pretty sure I'm constructing the LDAP url incorrectly.
    Once I've got that going then I'll look into creating the replica server

    Cheers, B

  7. #7
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    10

    Default

    The Zimbra Multi-Server Guide has a whole section devoted to configuring LDAP replication...

    Hope that helps,
    Mark

  8. #8
    batfastad is offline Elite Member
    Join Date
    Aug 2007
    Location
    London, UK
    Posts
    297
    Rep Power
    8

    Question

    Hi guys

    Sorry to resurrect a really old thread, but I'm finally getting round to possibly going for this. Sounds like a great solution to be able to auth Apache/PHP and ProFTPD against a Zimbra LDAP replica. Not for single sign-on as such, but at least so users can use the same credentials.

    A quick question...

    Currently our Zimbra server has LDAPS activated, so LDAP is running on port 636.
    After reading this Wikipedia entry for LDAP... LDAP - Wikipedia, the free encyclopedia
    A common alternate method of securing LDAP communication is using an SSL tunnel. This is denoted in LDAP URLs by using the URL scheme "ldaps". The default port for LDAP over SSL is 636. The use of LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never standardized in any formal specification. This usage has been deprecated along with LDAPv2, which was officially retired in 2003.
    From reading the official docs and the wiki it seems like the replication setup process creates SSH keys for the replication anyway, so all should be secure between the 2 servers.

    As it goes both servers will be on our LAN. The only reason I changed our Zimbra machine to LDAPS was so I could try Thunderbird auto-complete from an LDAP directory for remote users. Turns out the settings were a pain to get users to configure themselves so I never really took it any further.

    So should I ditch the current LDAP SSL setting before trying to mess about with replication?

    Cheers, B
    My Zimbra Bugs Wishlist: 16411, 24567, 35676, 36430, 37770, 41872, 43733, 44384, 46383, 47759
    And a way to associate mailto: handlers with a Zimbra Prism webapp

  9. #9
    batfastad is offline Elite Member
    Join Date
    Aug 2007
    Location
    London, UK
    Posts
    297
    Rep Power
    8

    Default

    Hi guys

    I was just about try disabling LDAPS on our zimbra server.
    Found this guide in the wiki... How to enable ldaps - Zimbra :: Wiki

    So do I just need to change those commands to read:
    Code:
    su - zimbra
    zmlocalconfig -e ldap_master_url=ldap://mymaster.somewhere.com:389
    zmlocalconfig -e ldap_url=ldap://myreplica.somewhere.com:389
    zmlocalconfig -e ldap_starttls_supported=0
    zmlocalconfig -e ldap_port=389
    What should I change ldap_starttls_supported to?
    Do I need to set ldap_url even if I don't have a replica?

    Cheers, B
    My Zimbra Bugs Wishlist: 16411, 24567, 35676, 36430, 37770, 41872, 43733, 44384, 46383, 47759
    And a way to associate mailto: handlers with a Zimbra Prism webapp

  10. #10
    batfastad is offline Elite Member
    Join Date
    Aug 2007
    Location
    London, UK
    Posts
    297
    Rep Power
    8

    Default

    Took a gamble and changed...
    ldap_url to be the same as ldap_master_url
    ldap_starttls_supported = 1

    LDAP seemed to restart ok after that.
    So hopefully LDAPS should now be disabled, which I feel is better since it was never part of an official standard anyway.

    Now on to LDAP replication.

    Cheers, B
    My Zimbra Bugs Wishlist: 16411, 24567, 35676, 36430, 37770, 41872, 43733, 44384, 46383, 47759
    And a way to associate mailto: handlers with a Zimbra Prism webapp

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [SOLVED] Important Mta Issue!!!!!!!!
    By borngunners in forum Migration
    Replies: 2
    Last Post: 01-05-2010, 06:44 AM
  2. /tmp filling
    By Nutz in forum Administrators
    Replies: 8
    Last Post: 02-22-2008, 02:00 AM
  3. [SOLVED] Clamav problem ? What's happening ?
    By aNt1X in forum Installation
    Replies: 23
    Last Post: 02-14-2008, 05:43 AM
  4. zmtlsctl give LDAP error
    By sourcehound in forum Administrators
    Replies: 5
    Last Post: 03-11-2007, 03:48 PM
  5. Zimbra server crashed
    By goetzi in forum Administrators
    Replies: 6
    Last Post: 03-25-2006, 01:00 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •