Hi,
I am implementing a multi-server platform with : 2 ldap servers on a master-slave configuration, 2 mta-proxy servers and 2 store servers.
The platform is up and working, but when I shut-down the master ldap server, I could no more authenticate, I get ldap Error on the webui.
Trying with the web admin ui, it's the same I cannot login but the error is more detailed : LDAP error : Unable to get connection: ldap host=: An error occurred while attempting to connect to server ldapmaster.example.com:389: java.IOException....
I know that the slave is read only, but why can't users login to their mailboxes using the replica? or does the operation of login need to write something on ldap?
what is the role of the replica? do I have to promote it to be a master to have high availability, or else use multi-master configuration for that?
Regards.
[Zimbra FOSS 8.8.10] Multi-server installation cannot authenticate against ldap replica
- L. Mark Stone
- Ambassador
- Posts: 2802
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.7 Network Edition
- Contact:
Re: [Zimbra FOSS 8.8.10] Multi-server installation cannot authenticate against ldap replica
After you install more LDAP servers, the localconfig variable "ldap_url" on every server needs to be updated by adding the additional LDAP servers. See the multi-server installation guide for how to do this: https://zimbra.github.io/installguides/8.8.9/multi.htmlwodel wrote:Hi,
I am implementing a multi-server platform with : 2 ldap servers on a master-slave configuration, 2 mta-proxy servers and 2 store servers.
The platform is up and working, but when I shut-down the master ldap server, I could no more authenticate, I get ldap Error on the webui.
Trying with the web admin ui, it's the same I cannot login but the error is more detailed : LDAP error : Unable to get connection: ldap host=: An error occurred while attempting to connect to server ldapmaster.example.com:389: java.IOException....
I know that the slave is read only, but why can't users login to their mailboxes using the replica? or does the operation of login need to write something on ldap?
what is the role of the replica? do I have to promote it to be a master to have high availability, or else use multi-master configuration for that?
Regards.
Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Re: [Zimbra FOSS 8.8.10] Multi-server installation cannot authenticate against ldap replica
Hi, and thanks
I read the installation guide and I did what is told, I did configure the ldap_url to include the slave server, but the authentication don't work when the master is down.
- If I stop the master, then I execute for example zmprov -l gaa from another server, the store for example, it tells me that the master is down, that it falls to the slave and it gave me the list of all users, so the slave is responding.
- If I authenticate with a wrong password, the Webui tells me that the username or the password is wrong, but if I type the correct password the ldap error is shown and no login is made.
Regards
I read the installation guide and I did what is told, I did configure the ldap_url to include the slave server, but the authentication don't work when the master is down.
- If I stop the master, then I execute for example zmprov -l gaa from another server, the store for example, it tells me that the master is down, that it falls to the slave and it gave me the list of all users, so the slave is responding.
- If I authenticate with a wrong password, the Webui tells me that the username or the password is wrong, but if I type the correct password the ldap error is shown and no login is made.
Regards
- L. Mark Stone
- Ambassador
- Posts: 2802
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.7 Network Edition
- Contact:
Re: [Zimbra FOSS 8.8.10] Multi-server installation cannot authenticate against ldap replica
Please post the output of the following command, run as the zimbra user on all servers:wodel wrote:Hi, and thanks
I read the installation guide and I did what is told, I did configure the ldap_url to include the slave server, but the authentication don't work when the master is down.
- If I stop the master, then I execute for example zmprov -l gaa from another server, the store for example, it tells me that the master is down, that it falls to the slave and it gave me the list of all users, so the slave is responding.
- If I authenticate with a wrong password, the Webui tells me that the username or the password is wrong, but if I type the correct password the ldap error is shown and no login is made.
Regards
zmlocalconfig | grep ldap_ | grep _url
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Re: [Zimbra FOSS 8.8.10] Multi-server installation cannot authenticate against ldap replica
Hi,
Here are the output of the command on all servers :
LDAP master :
ldap_bind_url =
ldap_master_url = ldap://ldapmaster.example.com:389
ldap_url = ldap://ldapslave.example.com:389 ldap://ldapmaster.example.com:389
LDAP SLAVE :
ldap_bind_url =
ldap_master_url = ldap://ldapmaster.example.com:389
ldap_url = ldap://ldapslave.example.com:389 ldap://ldapmaster.example.com:389
MTAPROXY1 :
ldap_bind_url =
ldap_master_url = ldap://ldapmaster.example.com:389
ldap_url = ldap://ldapslave.example.com:389 ldap://ldapmaster.example.com:389
MTAPROXY2 :
ldap_bind_url =
ldap_master_url = ldap://ldapmaster.example.com:389
ldap_url = ldap://ldapmaster.example.com:389
STORE1:
ldap_bind_url =
ldap_master_url = ldap://ldapmaster.example.com:389
ldap_url = ldap://ldapslave.example.com:389 ldap://ldapmaster.example.com:389
STORE2:
ldap_bind_url =
ldap_master_url = ldap://ldapmaster.example.com:389
ldap_url = ldap://ldapslave.example.com:389 ldap://ldapmaster.example.com:389
Regards.
Here are the output of the command on all servers :
LDAP master :
ldap_bind_url =
ldap_master_url = ldap://ldapmaster.example.com:389
ldap_url = ldap://ldapslave.example.com:389 ldap://ldapmaster.example.com:389
LDAP SLAVE :
ldap_bind_url =
ldap_master_url = ldap://ldapmaster.example.com:389
ldap_url = ldap://ldapslave.example.com:389 ldap://ldapmaster.example.com:389
MTAPROXY1 :
ldap_bind_url =
ldap_master_url = ldap://ldapmaster.example.com:389
ldap_url = ldap://ldapslave.example.com:389 ldap://ldapmaster.example.com:389
MTAPROXY2 :
ldap_bind_url =
ldap_master_url = ldap://ldapmaster.example.com:389
ldap_url = ldap://ldapmaster.example.com:389
STORE1:
ldap_bind_url =
ldap_master_url = ldap://ldapmaster.example.com:389
ldap_url = ldap://ldapslave.example.com:389 ldap://ldapmaster.example.com:389
STORE2:
ldap_bind_url =
ldap_master_url = ldap://ldapmaster.example.com:389
ldap_url = ldap://ldapslave.example.com:389 ldap://ldapmaster.example.com:389
Regards.
- L. Mark Stone
- Ambassador
- Posts: 2802
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.7 Network Edition
- Contact:
Re: [Zimbra FOSS 8.8.10] Multi-server installation cannot authenticate against ldap replica
Let's check some more basics then.
Please also don't obfuscate your FQDNs and IP addresses. If you environment is secured properly your actual FQDNs and IP addresses cannot help facilitate an exposure, and in any event most will be contained in all of your outbound email headers anyway.
So on every server, please post the output of:
cat /etc/hosts
cat /etc/resolv.conf
cat /etc/hostname
Next, for all of the actual fqdns of your Zimbra servers, please post the output of:
host fqdn1
host fqdn2
etc...
e.g (to use your obfuscated fqdns:
host ldapmaster.example.com
For each of the IP addresses outputted from the above commands, please also post:
host <ip address>
Lastly, on each of the LDAP servers as the Zimbra user, please post the output of:
/opt/zimbra/libexec/zmreplchk
Hopefully this is all due to a name resolution issue and not an LDAP issue.
Mark
Please also don't obfuscate your FQDNs and IP addresses. If you environment is secured properly your actual FQDNs and IP addresses cannot help facilitate an exposure, and in any event most will be contained in all of your outbound email headers anyway.
So on every server, please post the output of:
cat /etc/hosts
cat /etc/resolv.conf
cat /etc/hostname
Next, for all of the actual fqdns of your Zimbra servers, please post the output of:
host fqdn1
host fqdn2
etc...
e.g (to use your obfuscated fqdns:
host ldapmaster.example.com
For each of the IP addresses outputted from the above commands, please also post:
host <ip address>
Lastly, on each of the LDAP servers as the Zimbra user, please post the output of:
/opt/zimbra/libexec/zmreplchk
Hopefully this is all due to a name resolution issue and not an LDAP issue.
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate