OpenLDAP

Highly Available, Scalable, Multi-tier Solution Architecture

Axigen performs the following interaction with an LDAP service:

  • authentication (read operation)
  • SMTP routing (read operation)
  • Proxy redirection (read operation)
  • Axigen-to-LDAP provisioning (read/write operation)
  • LDAP-to-Axigen provisioning (read operation)

The OpenLDAP server can run in various different multi-node architectural configurations, depending on the overall number of accounts and the e-mail traffic - both number of e-mails transferred via SMTP and the number of connections via end-user protocols, POP3, IMAP and WebMail. This document will only describe two of these architectural configurations, following below.

The first architectural configuration is similar with Axigen's setup, with one or more OpenLDAP nodes serving different domains, each one of them configured with a corresponding hot stand-by node sharing the same storage, the monitoring and failover being performed by a cluster management software. This way, when an OpenLDAP node fails, its corresponding hot stand-by node will take over the responsibilities. This setup is recommended in most situations, when a single LDAP node can handle the entire LDAP traffic.

The second configuration involves setting up multiple OpenLDAP instances in master/slave replication mode and it should be used in situations where the overall LDAP traffic cannot be handled by a single LDAP node. A single master node will be configured as master and will be used only for provisioning purposes. Thus, the master OpenLDAP node will be installed in the back-end tier, in an active/passive configuration handled by the clustering management software. Additionally, a set of at least two (to ensure redundancy) LDAP replica nodes will be installed and configured in the front-end tier (none of the Axigen nodes in the back-end tier need to perform read operations to the LDAP server) and all the LDAP queries will be load-balanced the same way as the Axigen services (POP3, IMAP, WebMail) from the front-end proxy nodes.

The common point of setup for the two alternatives is the fact that the high-availability in the back-end tier is ensured by the Red Hat Cluster suite, regardless if you are setting up a stand-alone single OpenLDAP instance or a master/slave replication mode configuration.

The first alternative is explained as follows.

Base installation

Package installation

The OpenLDAP server package is called openldap-servers. OpenLDAP 2.3 is present by default in the Red Hat or CentOS version 5 repositories, and contains a back ported syncrepl overlay from the 2.4 version. On the other hand, it doesn't contain the memberof overlay, which is necessary if you want to use Axigen groups synchronized with LDAP. If you need both overlays, you have to manually compile a custom OpenLDAP 2.4 server. Red Hat and CentOS 6 contain the OpenLDAP 2.4 version, by default.

In order to install the default repository version, use the yum package manager:

After the package installation process has finished successfully, the ldap init script must be disabled to start at system boot, to avoid unnecessary errors at boot time, because the configuration file will not be available until the related cluster service starts:

Please note that subsequent updates for the openldap-servers package may reset the initscript to start at boot time

Repeat the same package installation steps on the hot stand-by node.

Storage preparation

This operation should be performed only on one of the two nodes in the OpenLDAP failover domain pair.

Mount the cluster shared partition in its destination mount point, according to /etc/fstab:

Create the working directories on the shared partition:

Configuration

Download the Axigen OpenLDAP Schema kit from axigen.com downloads page and decompress the archive, then navigate to the directory containing the axigen.schema file, and use the following command to install it:

Install database configuration file using the openldap-servers package example file:

If necessary, you may edit the /var/clusterfs/ldap/db/DB_CONFIG and perform any additional database configuration.

Then, create the OpenLDAP server configuration file, as follows:

This document uses the secret password literally. You should not use this password and store it in clear text in the slapd.conf file.

Modify the ldap system init script configuration file, to point to the cluster configuration file:

You should also configure the slapd daemon to only listen for requests on the corresponding allocated floating IP address. In this example we have mentioned 10.9.9.98 for this case.

Start the slapd service by issuing:

Create root entries, as follows:

At the end, create a domain with the following command:

Please replace axigen.com in the above command with the domain name in your organization

The above command must be issued each time a domain is created in Axigen, in order to be able to perform provisioning operations.

Stop the OpenLDAP server and umount the shared partition: