kopano issues when one dc down



  • hello

    i have kopano setup to use ldap authentication.
    i have two domain controllers for my domain.
    when one domain controller goes down, kopano starts to have multiple issues.
    doesnt seem to matter which domain controller goes down.
    problem does not appear to be with dc as domain auth continues working
    mail server continues working, only issues i have are kopano related.
    i can telnet to mail server and send mail manually from there.
    webapp does not function at all, does not load after initial authentication, no error just keeps spinning (loading).
    zpush barely works, most the time it doesnt sync emails, sync works about once every 30 minutes,
    still cannot send emails with mobile

    i have included my kopano ldap.cfg below for reference

    ##############################################################
    #  LDAP DIRECTORY USER PLUGIN SETTINGS
    #
    
    # Select implementation.
    # If you have any reason to override settings from /usr/share/kopano/*.cfg,
    # do so at the end of this (/etc-resident) config file.
    #
    #!include /usr/share/kopano/ldap.openldap.cfg
    !include /usr/share/kopano/ldap.active-directory.cfg
    
    # LDAP host name/IP address
    # this record points to two domain controllers (ive also tried using both direct ip addresses)
    ldap_host = ad.mydomain.local
    
    # LDAP port
    # Optional, default = 389
    # Use 636 for ldaps
    ldap_port = 389
    
    # LDAP protocol
    # Optional, default = ldap
    # use 'ldaps' for Implicit SSL encryption. Make sure /etc/ldap/ldap.conf is
    # configured correctly with TLS_CACERT
    ldap_protocol = ldap
    
    # LDAP URI
    # Optional, override ldap_host, ldap_port and ldap_protocol if set
    # e.g. ldaps://servername:port. You may also specify multiple space-separated
    # URIs
    #ldap_uri =
    
    # The charset that strings are stored in on the LDAP server. Normally this
    # is utf-8, but this can differ according to your setup. The charset specified
    # here must be supported by your iconv(1) setup. See iconv -l for all charset
    #ldap_server_charset = utf-8
    
    # The DN of the user to bind as for normal operations (not used for
    # authentication if ldap_authentication_method is set to "bind".
    # When empty, uses anonymous binding.
    # The userPassword attribute must be readable for this user if the
    # ldap_authentication_method option is set to password.
    ldap_bind_user = username
    
    # LDAP bind password
    ldap_bind_passwd = password
    
    # The timeout for network operations in seconds
    ldap_network_timeout = 20
    
    # ldap_page_size limits the number of results from a query that will be downloaded at a time.
    # Default ADS MaxPageSize is 1000.
    #ldap_page_size = 1000
    
    ##########
    # Object settings
    
    # Top level search base, every object should be available under this tree
    ldap_search_base = dc=mydomain,dc=local
    ldap_user_search_filter = (KopanoAccount=1)
    #this is a custom attribute i inserted into ad schema to avoid running ad lds instance
    
    # Use custom defined LDAP property mappings
    # This is not a requirement for most environments but allows custom mappings of
    # special LDAP properties to custom MAPI attributes
    #!propmap /etc/kopano/ldap.propmap.cfg
    

  • Kopano

    Hello @itzjustinn ,

    unfortunately you don’t say which version you are running.

    And most importantly the ldap configuration you have posted only makes use of a single ldap connection (just one entry in ldap_host. no entries in ldap_uri.

    Generally it should work the following way:

    • you have an amount of x threads configured in server.cfg
    • each of these threads holds a dedicated connection to you ldap
    • if the first entry in ldap_uri goes down, connections will time out and each thread will reconnect on its own to the next entry in ldap_uri.
    • this entry will be used until it fails and the process begins anew.

    since each thread has to timeout individually switching over to a fallback this process takes some time. if you want quicker failover the best way is to implement a ldap proxy infron of your ad.



  • hi. thank you for response.
    i add entry for both dcs in ldap_uri field
    now failover is occuring within minutes and all problems i was seeing are resolved.

    please tell me what purpose do the multiple threads serve if all threads are connected to same ldap host and failover after timeout. im only curious to understand more about how it works.


  • Kopano

    Hi @itzjustinn ,

    well, multiple threads = more threads to process user requests. Each has its own ldap connection to be self sufficient.


Log in to reply
 

Looks like your connection to Kopano Community Forum was lost, please wait while we try to reconnect.