[Zimbra FOSS 8.8.10] Multi-server installation cannot authenticate against ldap replica

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
wodel
Advanced member
Advanced member
Posts: 52
Joined: Sat Sep 13, 2014 12:24 am

[Zimbra FOSS 8.8.10] Multi-server installation cannot authenticate against ldap replica

Post by wodel »

Hi,

I am implementing a multi-server platform with : 2 ldap servers on a master-slave configuration, 2 mta-proxy servers and 2 store servers.

The platform is up and working, but when I shut-down the master ldap server, I could no more authenticate, I get ldap Error on the webui.

Trying with the web admin ui, it's the same I cannot login but the error is more detailed : LDAP error : Unable to get connection: ldap host=: An error occurred while attempting to connect to server ldapmaster.example.com:389: java.IOException....

I know that the slave is read only, but why can't users login to their mailboxes using the replica? or does the operation of login need to write something on ldap?

what is the role of the replica? do I have to promote it to be a master to have high availability, or else use multi-master configuration for that?

Regards.
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: [Zimbra FOSS 8.8.10] Multi-server installation cannot authenticate against ldap replica

Post by L. Mark Stone »

wodel wrote:Hi,

I am implementing a multi-server platform with : 2 ldap servers on a master-slave configuration, 2 mta-proxy servers and 2 store servers.

The platform is up and working, but when I shut-down the master ldap server, I could no more authenticate, I get ldap Error on the webui.

Trying with the web admin ui, it's the same I cannot login but the error is more detailed : LDAP error : Unable to get connection: ldap host=: An error occurred while attempting to connect to server ldapmaster.example.com:389: java.IOException....

I know that the slave is read only, but why can't users login to their mailboxes using the replica? or does the operation of login need to write something on ldap?

what is the role of the replica? do I have to promote it to be a master to have high availability, or else use multi-master configuration for that?

Regards.
After you install more LDAP servers, the localconfig variable "ldap_url" on every server needs to be updated by adding the additional LDAP servers. See the multi-server installation guide for how to do this: https://zimbra.github.io/installguides/8.8.9/multi.html

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
wodel
Advanced member
Advanced member
Posts: 52
Joined: Sat Sep 13, 2014 12:24 am

Re: [Zimbra FOSS 8.8.10] Multi-server installation cannot authenticate against ldap replica

Post by wodel »

Hi, and thanks

I read the installation guide and I did what is told, I did configure the ldap_url to include the slave server, but the authentication don't work when the master is down.

- If I stop the master, then I execute for example zmprov -l gaa from another server, the store for example, it tells me that the master is down, that it falls to the slave and it gave me the list of all users, so the slave is responding.

- If I authenticate with a wrong password, the Webui tells me that the username or the password is wrong, but if I type the correct password the ldap error is shown and no login is made.

Regards
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: [Zimbra FOSS 8.8.10] Multi-server installation cannot authenticate against ldap replica

Post by L. Mark Stone »

wodel wrote:Hi, and thanks

I read the installation guide and I did what is told, I did configure the ldap_url to include the slave server, but the authentication don't work when the master is down.

- If I stop the master, then I execute for example zmprov -l gaa from another server, the store for example, it tells me that the master is down, that it falls to the slave and it gave me the list of all users, so the slave is responding.

- If I authenticate with a wrong password, the Webui tells me that the username or the password is wrong, but if I type the correct password the ldap error is shown and no login is made.

Regards
Please post the output of the following command, run as the zimbra user on all servers:

zmlocalconfig | grep ldap_ | grep _url

Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
wodel
Advanced member
Advanced member
Posts: 52
Joined: Sat Sep 13, 2014 12:24 am

Re: [Zimbra FOSS 8.8.10] Multi-server installation cannot authenticate against ldap replica

Post by wodel »

Hi,

Here are the output of the command on all servers :

LDAP master :
ldap_bind_url =
ldap_master_url = ldap://ldapmaster.example.com:389
ldap_url = ldap://ldapslave.example.com:389 ldap://ldapmaster.example.com:389


LDAP SLAVE :
ldap_bind_url =
ldap_master_url = ldap://ldapmaster.example.com:389
ldap_url = ldap://ldapslave.example.com:389 ldap://ldapmaster.example.com:389

MTAPROXY1 :
ldap_bind_url =
ldap_master_url = ldap://ldapmaster.example.com:389
ldap_url = ldap://ldapslave.example.com:389 ldap://ldapmaster.example.com:389

MTAPROXY2 :
ldap_bind_url =
ldap_master_url = ldap://ldapmaster.example.com:389
ldap_url = ldap://ldapmaster.example.com:389

STORE1:
ldap_bind_url =
ldap_master_url = ldap://ldapmaster.example.com:389
ldap_url = ldap://ldapslave.example.com:389 ldap://ldapmaster.example.com:389

STORE2:
ldap_bind_url =
ldap_master_url = ldap://ldapmaster.example.com:389
ldap_url = ldap://ldapslave.example.com:389 ldap://ldapmaster.example.com:389


Regards.
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: [Zimbra FOSS 8.8.10] Multi-server installation cannot authenticate against ldap replica

Post by L. Mark Stone »

Let's check some more basics then.

Please also don't obfuscate your FQDNs and IP addresses. If you environment is secured properly your actual FQDNs and IP addresses cannot help facilitate an exposure, and in any event most will be contained in all of your outbound email headers anyway.

So on every server, please post the output of:

cat /etc/hosts
cat /etc/resolv.conf
cat /etc/hostname

Next, for all of the actual fqdns of your Zimbra servers, please post the output of:

host fqdn1
host fqdn2
etc...

e.g (to use your obfuscated fqdns:

host ldapmaster.example.com

For each of the IP addresses outputted from the above commands, please also post:

host <ip address>

Lastly, on each of the LDAP servers as the Zimbra user, please post the output of:

/opt/zimbra/libexec/zmreplchk

Hopefully this is all due to a name resolution issue and not an LDAP issue.

Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Post Reply