Using Kopano with HAProxy as an LDAP load balancer

robertwbrandt

Although I’m told that the new 8.2 version of Kopano will greatly reduce the number of LDAP lookups to our Domain Controller, I’m still looking at inserting a HAProxy between Kopano and our DCs.

The reason I’m looking at this is that our DCs are crap (i.e. Microsoft) and have caused our mail system to crash a few times! Problem is that it isn’t the DC that gets blamed, it is Kopano! (and me)

I’m wondering if anyone has any experience with using HAproxy with LDAP (Global Catalog) or whether they can tell me in no uncertain terms that it is a bad/good idea?

Thanks
Bob

fbartels

Hi Bob,

@robertwbrandt said in Using Kopano with HAProxy as an LDAP load balancer:

in no uncertain terms

If you need an official statement on this, it will be best to contact our support for this.

robertwbrandt

Well I guess “in no uncertain terms” was a bit strong… :)

scottalanmiller

HA Proxy feels like the wrong way to tackle this. What about a DNS Round Robin to cycle through the DCs so that it load balances that way? HA Proxy is very heavy handed, IMHO, for something that should be decently simple.

Or, another decent option would be to make a read only AD DC that is dedicated for email lookups. It could be kept on SSD, kept with less redundancy (or none) and kept close or even on the same host as the Kopano system to minimize latency and keep the lookups from hitting the main DCs. Then, if there were any delay, only email would feel it, nothing else.

fbartels

@scottalanmiller the bad part about asking multiple AD via round robin is that you will receive timeouts if one of these systems is not available. These timeouts you can prevent with haproxy (or other ldap capable loadbalancers).

scottalanmiller

@fbartels said in Using Kopano with HAProxy as an LDAP load balancer:

@scottalanmiller the bad part about asking multiple AD via round robin is that you will receive timeouts if one of these systems is not available. These timeouts you can prevent with haproxy (or other ldap capable loadbalancers).

That’s very true, hopefully in a situation like this you would not have DCs going up and down with any regularity. If you do, that would create a lot of other problems and would explain why the DCs aren’t working as it is. DNS Round Robining is, in theory, how DCs are supposed to work by default, actually. It just has automated harvesting.

Which actually means that a load balancer like HAProxy would not actually do anything, as there is already load balancing in place that is not working properly.

robertwbrandt

For the record, I have implemented the HAProxy solution and it is working beautifully.

@scottalanmiller said

That’s very true, hopefully in a situation like this you would not have DCs going up and down with any regularity. If you do, that would create a lot of other problems and would explain why the DCs aren’t working as it is. DNS Round Robining is, in theory, how DCs are supposed to work by default, actually. It just has automated harvesting.

Which actually means that a load balancer like HAProxy would not actually do anything, as there is already load balancing in place that is not working properly.

A few years ago, we moved from a Linux based environment (Novell eDirectory) to Microsoft. And during this time we have seems some issues with Microsoft DCs.
First problem is a memory leak (small but noticeable).
Second, Microsoft Servers need a TON more resources!
Third, when the DCs are about to fail, they do so in weird ways. They still respond to network services and all of our SNMP and server monitoring tools can’t detect any problems, but DNS, LDAP and other requests start failing here and there!

HAProxy is intelligent enough to detect this and stop sending requests to that server for a period of time!