1 Topic by swejun

  • swejun
  • Member
  • Offline
  • Registered: 2017-07-26
  • Posts: 84

Topic: Anyone having installed redundant openldap servers with iRedMail

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version 0.99
- Deployed with iRedMail Easy or the downloadable installer? No
- Linux/BSD distribution name and version: Centos 7
- Store mail accounts in which backend LDAP
- Web server  Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
This question is perhaps more related to OpenLDAP than iRedMail , but just trying to reach out in the iRedMail community.

Having the openLdap server running in a separate server today.

Idea: planning to make the openLdap redundant by running in Multimaster sync between two LDAP servers, with a proxy in front.

Question: Anyone having deployed this together with iRedMail, willing to share ideas?

1. The guides I have found describing how to do this in LDAP all suggests using the slapd.d/ instead of slapd.conf, in order to be able to syncronize the config database. Maybe this can be skipped by doing manuall config in both servers?

2. Changing from slapd.conf to slapd.d/ is fairly easy process, but future modifications of the config ( i.e. as delivered from the iRedMail project) then is a bit more complicated, but not impossible.

3. which proxy to use (haProxy, Balance, Nginx, ....)

4. Any other concerns related to the iRedMail implementation.


Regards

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Anyone having installed redundant openldap servers with iRedMail

swejun wrote:

1. The guides I have found describing how to do this in LDAP all suggests using the slapd.d/ instead of slapd.conf, in order to be able to syncronize the config database. Maybe this can be skipped by doing manuall config in both servers?

"slapd.conf" is easier to use and configure, it's supported by OpenLDAP 2.4.x, and no deadline to retire it by OpenBSD team (correct me if i was wrong). So slapd.conf is ok, but sure you can switch to slapd.d format and update OpenLDAP configurations / schema / ACL /... on the fly.

swejun wrote:

2. Changing from slapd.conf to slapd.d/ is fairly easy process, but future modifications of the config ( i.e. as delivered from the iRedMail project) then is a bit more complicated, but not impossible.

You need to use ldap command line (or similar tools) to update LDAP database directly, not the slapd.conf anymore.

swejun wrote:

3. which proxy to use (haProxy, Balance, Nginx, ....)

I personally don't have experience for LDAP proxying yet.

by the way, i'm not sure why a proxy server is involved in your setup, but how about one master with multiple slave setup? Or, mirror mode for 2 servers (both are master, synced changes in two ways)? Both are supported by OpenLDAP itself.

3 Reply by swejun

  • swejun
  • Member
  • Offline
  • Registered: 2017-07-26
  • Posts: 84

Re: Anyone having installed redundant openldap servers with iRedMail

ZhangHuangbin wrote:
swejun wrote:

1. The guides I have found describing how to do this in LDAP all suggests using the slapd.d/ instead of slapd.conf, in order to be able to syncronize the config database. Maybe this can be skipped by doing manuall config in both servers?

"slapd.conf" is easier to use and configure, it's supported by OpenLDAP 2.4.x, and no deadline to retire it by OpenBSD team (correct me if i was wrong). So slapd.conf is ok, but sure you can switch to slapd.d format and update OpenLDAP configurations / schema / ACL /... on the fly.

swejun wrote:

2. Changing from slapd.conf to slapd.d/ is fairly easy process, but future modifications of the config ( i.e. as delivered from the iRedMail project) then is a bit more complicated, but not impossible.

You need to use ldap command line (or similar tools) to update LDAP database directly, not the slapd.conf anymore.

swejun wrote:

3. which proxy to use (haProxy, Balance, Nginx, ....)

I personally don't have experience for LDAP proxying yet.

by the way, i'm not sure why a proxy server is involved in your setup, but how about one master with multiple slave setup? Or, mirror mode for 2 servers (both are master, synced changes in two ways)? Both are supported by OpenLDAP itself.

I manage to configure the syncrepl manually in the slapd.conf. (will share an example once it is all tested and done)

The main reasons for my setup is as follows:
- iRedMail server installed into the DMZ segment, so no direct connection from Internet attached servers to our intranet

- LDAP and SQL is run on server instances located on the intranet

- Other internal services are using the same LDAP instance for user authentication.

- The reasons for setting up a master/master ldap cluster is for redundancy. One server can be off line for patching and reboot while the other can serve internal users and systems.

- So it just follows the internal IT policy to duplicate sensitive core systems like dns, ntp, firewall and running all services in a redundant virtualisation environment. Currently the LDAP server is a single point of failure

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Anyone having installed redundant openldap servers with iRedMail

Looks like your LDAP setup could be one master with 1 (or more) slave.
OpenLDAP master runs on iRedMail, run OpenLDAP slave on other server(s) since they just need to query, no update.