Hello,
I run a Zimbra 8.7.3 platform with 11K users using Thunderbird and ActiveSync.
Our OpenLDAP server is overload by BIND operations from Zimbra stores (8 stores).
How to, server side, limit or cache ldap authentications ?
Regards,
Victor
External LDAP overload : How to cache ldap authentications ?
-
- Posts: 43
- Joined: Mon Apr 11, 2016 11:59 am
-
- Posts: 43
- Joined: Mon Apr 11, 2016 11:59 am
Re: External LDAP overload : How to cache ldap authentications ?
Hello,
Any idea ?
Victor
Any idea ?
Victor
Re: External LDAP overload : How to cache ldap authentications ?
Why do you not use LDAP replicas or LDAP MMR?
- L. Mark Stone
- Ambassador
- Posts: 2796
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.6 Network Edition
- Contact:
Re: External LDAP overload : How to cache ldap authentications ?
Hi Victor,vdagost-fr wrote:Hello,
I run a Zimbra 8.7.3 platform with 11K users using Thunderbird and ActiveSync.
Our OpenLDAP server is overload by BIND operations from Zimbra stores (8 stores).
How to, server side, limit or cache ldap authentications ?
Regards,
Victor
As Phoenix advised, you'd be better off using multiple LDAP servers to handle the load. But your subject line says "External OpenLDAP servers" so not clear if you are talking about Zimbra LDAP servers or if you have Zimbra authenticating truly to an external OpenLDAP server.
If it's all Zimbra LDAP, I'd suggest configuring two more LDAP servers, as traditional LDAP replicas (do not use LDAP MMR).
On your mailbox stores, the localconfig variable ldap_master_url directs the mailbox server to the LDAP server for writes. The localconfig variable ldap_url controls which LDAP servers the mailbox servers will use for reads. Essentially, the strategy is to keep the write traffic (not a lot, except for ephemeral data) on the master, and keep all the read (auth traffic) requests on the replicas.
If you need help setting up LDAP replication, just post (there are plenty of wiki articles plus the Admin Guide). But assuming you can get LDAP replicas setup on your own, then once you are done things could look like this:
LDAP Servers:
ldap-master.yourdomain.tld
ldap-replica1.yourdomain.tld
ldap-replica2.yourdomain.tld
On your your first four mailbox servers:
ldap_master_url = ldap://ldap-master.yourdomain.tld:389
ldap_url = ldap-replica1.yourdomain.tld:389 ldap-replica2.yourdomain.tld:389 ldap://ldap-master.yourdomain.tld:389
One the second block of four mailbox servers:
ldap_master_url = ldap://ldap-master.yourdomain.tld:389
ldap_url = ldap-replica2.yourdomain.tld:389 ldap-replica1.yourdomain.tld:389 ldap://ldap-master.yourdomain.tld:389
If you do have external OpenLDAP, you'll need to beef up your external OpenLDAP environment, but when you configure Domain Authentication within Zimbra, you can add more external servers.
Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
-
- Posts: 43
- Joined: Mon Apr 11, 2016 11:59 am
Re: External LDAP overload : How to cache ldap authentications ?
Hello,
The internal Zimbra openldap servers are fine.
It is an external OpenLDAP server, used for authentication, which is overloaded.
I was thinking Zimbra may have a caching mecanism like saslauthd.
If not I think the best solution is to set an openldap cluster to manage authentication (Zimbra is not the only on service using the external OpenLDAP).
Regards,
Victor
The internal Zimbra openldap servers are fine.
It is an external OpenLDAP server, used for authentication, which is overloaded.
I was thinking Zimbra may have a caching mecanism like saslauthd.
If not I think the best solution is to set an openldap cluster to manage authentication (Zimbra is not the only on service using the external OpenLDAP).
Regards,
Victor