External LDAP overload : How to cache ldap authentications ?

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
vdagost-fr
Posts: 43
Joined: Mon Apr 11, 2016 11:59 am

External LDAP overload : How to cache ldap authentications ?

Post by vdagost-fr »

Hello,

I run a Zimbra 8.7.3 platform with 11K users using Thunderbird and ActiveSync.

Our OpenLDAP server is overload by BIND operations from Zimbra stores (8 stores).

How to, server side, limit or cache ldap authentications ?

Regards,
Victor
vdagost-fr
Posts: 43
Joined: Mon Apr 11, 2016 11:59 am

Re: External LDAP overload : How to cache ldap authentications ?

Post by vdagost-fr »

Hello,

Any idea ?

Victor
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: External LDAP overload : How to cache ldap authentications ?

Post by phoenix »

Why do you not use LDAP replicas or LDAP MMR?
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: External LDAP overload : How to cache ldap authentications ?

Post by L. Mark Stone »

vdagost-fr wrote:Hello,

I run a Zimbra 8.7.3 platform with 11K users using Thunderbird and ActiveSync.

Our OpenLDAP server is overload by BIND operations from Zimbra stores (8 stores).

How to, server side, limit or cache ldap authentications ?

Regards,
Victor
Hi Victor,

As Phoenix advised, you'd be better off using multiple LDAP servers to handle the load. But your subject line says "External OpenLDAP servers" so not clear if you are talking about Zimbra LDAP servers or if you have Zimbra authenticating truly to an external OpenLDAP server.

If it's all Zimbra LDAP, I'd suggest configuring two more LDAP servers, as traditional LDAP replicas (do not use LDAP MMR).

On your mailbox stores, the localconfig variable ldap_master_url directs the mailbox server to the LDAP server for writes. The localconfig variable ldap_url controls which LDAP servers the mailbox servers will use for reads. Essentially, the strategy is to keep the write traffic (not a lot, except for ephemeral data) on the master, and keep all the read (auth traffic) requests on the replicas.

If you need help setting up LDAP replication, just post (there are plenty of wiki articles plus the Admin Guide). But assuming you can get LDAP replicas setup on your own, then once you are done things could look like this:

LDAP Servers:
ldap-master.yourdomain.tld
ldap-replica1.yourdomain.tld
ldap-replica2.yourdomain.tld

On your your first four mailbox servers:
ldap_master_url = ldap://ldap-master.yourdomain.tld:389
ldap_url = ldap-replica1.yourdomain.tld:389 ldap-replica2.yourdomain.tld:389 ldap://ldap-master.yourdomain.tld:389

One the second block of four mailbox servers:
ldap_master_url = ldap://ldap-master.yourdomain.tld:389
ldap_url = ldap-replica2.yourdomain.tld:389 ldap-replica1.yourdomain.tld:389 ldap://ldap-master.yourdomain.tld:389

If you do have external OpenLDAP, you'll need to beef up your external OpenLDAP environment, but when you configure Domain Authentication within Zimbra, you can add more external servers.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
vdagost-fr
Posts: 43
Joined: Mon Apr 11, 2016 11:59 am

Re: External LDAP overload : How to cache ldap authentications ?

Post by vdagost-fr »

Hello,

The internal Zimbra openldap servers are fine.

It is an external OpenLDAP server, used for authentication, which is overloaded.

I was thinking Zimbra may have a caching mecanism like saslauthd.
If not I think the best solution is to set an openldap cluster to manage authentication (Zimbra is not the only on service using the external OpenLDAP).

Regards,
Victor
Post Reply