When using the LDAP connectors for the Routing and Authentication functions, Axigen uses an (or more) external LDAP server to find out the exact back-end node where the account is located and to check the provided credentials for all the Proxy Services (IMAP, POP3, SMTP or WebMail).
In this scenario, the LDAP is used as an External User Database. The list of username, passwords and corresponding back-end servers (among many other parameters) are stored in this External User Database.
Another important feature of the LDAP integration with the Axigen mail server is the LDAP Authentication mechanism. This method is available for all the Axigen services that require authentication: SMTP In, POP3, IMAP, WebMail, POP3 Proxy and IMAP Proxy.
The LDAP Connectors are useful (and even required) when you want to integrate via the LDAP protocol with other components (e.g. a provisioning system that cannot be integrated using the Axigen CLI, and only supports LDAP).
Integration with LDAP (OpenLDAP and Active Directory) evolved and now synchronization of users and groups is possible in three different manners:
- Axigen to LDAP;
- LDAP to Axigen;
- Both ways.
This section includes a brief LDAP introduction, Axigen Mapping and Authentication systems, as well as front-end and back-end services setup in Axigen.
Multi-tier cluster architecture
The solution uses three tiers to provide the required functionality. The load balancer tier provides services for network layer 4 (transport), TCP connections, and is completely unaware of account information; it only provides distribution of connections to the nodes in the front-end tier.
The front-end tier comprises of nodes running proxy services and SMTP routing services. Its task is to ensure that messages and connections are routed to the appropriate node (depending on the account for which a request is being performed) in the backend tier.
Finally, the backend tier provides access to persistent data (such as account configuration and mailbox data); each node in the backend tier is capable of responding to requests for a set of accounts. No node in the backend tier is capable of servicing requests for an account that is serviced by a different node.