LDAP Architecture: Difference between revisions

Line 52: Line 52:


=== OpenLDAP and OpenDKIM ===
=== OpenLDAP and OpenDKIM ===
OpenDKIM queries the LDAP server on outgoing emails to determine if signing is enabled for the sending domain.  If signing is enabled, it grabs the signing key information from the LDAP server as well.
OpenDKIM queries the LDAP server on outgoing emails to determine if signing is enabled for the sending domain.  If signing is enabled, it grabs the signing key information from the LDAP server as well. Example OpenDKIM query:
 
* SRCH base="" scope=2 deref=0 filter="(DKIMIdentity=zimbra.com)"
* SRCH attr=DKIMSelector
* SEARCH RESULT tag=101 err=0 nentries=1 text=
* SRCH base="" scope=2 deref=0 filter="(DKIMSelector=C2AA288C-EE47-11E2-9BB0-E820BDD9BDBF)"
* SRCH attr=DKIMDomain DKIMSelector DKIMKey


== OpenLDAP and MBS ==
== OpenLDAP and MBS ==

Revision as of 22:17, 21 November 2013

Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 7.0 Article ZCS 7.0 ZCS 8.0 Article ZCS 8.0


Zimbra LDAP Architecture

Zimbra uses OpenLDAP as one of its primary datastores. The LDAP database is used to store a wide variety of data, including but not limited to:

* Server configuration pieces
* Software configuration pieces (Jetty, Postfix, OpenDKIM, Amavis, ClamAV, etc)
* User data
* COS data

OpenLDAP Internals

OpenLDAP and BDB (ZCS7 and previous)

In ZCS 7 and prior releases, OpenLDAP uses Berkeley Database (BDB) as the storage engine. OpenLDAP has two database backends that rely on BDB, back-bdb and back-hdb. Zimbra uses the back-hdb backend due to its superior performance profile to back-bdb. There are a number of tuning pieces necessary to get optimal performance when using either back-bdb or back-hdb. Detailed specifics on tuning are documented at [OpenLDAP performance tuning for ZCS 7]. Here we will give an overview of the different pieces.

OpenLDAP Caches

Unfortunately, reading data directly out of the BDB database is quite slow. To work around this limitation, the OpenLDAP server process has 3 caches per BDB database that can be configured to hold data directly in memory while the process is running so that they do not have to be constantly pulled out of the BDB database. The larger the settings, the greater the total memory requirements for the slapd process. Caches release entries based on the [CLOCK Algorithm] These caches are:

  • Entry cache -- This caches full entries up to the configured maximum in memory
  • IDL cache -- This caches the results of the most frequent indexed queries in memory
  • DN cache -- This caches the entry DNs for the entries in the database in memory. This should be left at unlimited if at all possible.
  • Cache free -- This setting determines how many entries will be freed from a cache if its maximum size is smaller than the total possible number of entries.

BDB Caches

BDB operates with a BDB specific caching layer between the database and any application using BDB. This caching layer can either be on-disk or stored in memory via [Shared Memory]. For optimal performance, it is recommended to use a shared memory. This setting has the single greatest impact on OpenLDAP performance. It is highly recommended that the BDB cache be larger than the size of the DB so it can be fully contained in memory.

OpenLDAP database storage format with BDB

When an entry is stored in OpenLDAP, it is broken down into multiple parts inside the BDB database. These parts are:

  • The dn2id.bdb database. This database maps an entry DN to a unique identifier.
  • The id2entry.bdb database. This database contains the entries stored by unique identifier.
  • Index databases. The number of these databases depends on what indices have been configured inside of OpenLDAP. There is one index database per indexed attribute. The index database is queried when an ldap search contains an indexed attribute so that the entire id2entry database does not have to be processed for results.

OpenLDAP and LMDB (ZCS8 and later)

With ZCS8 and later, Zimbra uses the back-mdb backend by default. This backend uses the LMDB database for storage.

LDAP and Authentication

By default, Zimbra authenticates users against their user entry stored in LDAP via a custom Zimbra Authentication module. However, it is possible to configure Zimbra to authenticate users through an external directory server instead. Authentication is done any time it is necessary to validate the identity of the user. Some locations requiring authentication:

  • Web client login
  • POP connections
  • IMAP connections
  • SMTP(S) connections

OpenLDAP and Nginx

In the majority of installations, Nginx does not access LDAP directly. However, when cert auth or a SASL mechanism such as GSSAPI are used, nginx will auth against LDAP to log into the upstream server.

OpenLDAP and the MTA

OpenLDAP and Postfix

Postfix uses the OpenLDAP server extensively. All email going through postfix results in multiple queries being made to the LDAP server to determine delivery destination(s) for the given email.

OpenLDAP and Amavis

Amavis queries the LDAP server during every email delivery to look up information such as banned users and whitelisted users for use in scoring the email for delivery.

OpenLDAP and OpenDKIM

OpenDKIM queries the LDAP server on outgoing emails to determine if signing is enabled for the sending domain. If signing is enabled, it grabs the signing key information from the LDAP server as well. Example OpenDKIM query:

  • SRCH base="" scope=2 deref=0 filter="(DKIMIdentity=zimbra.com)"
  • SRCH attr=DKIMSelector
  • SEARCH RESULT tag=101 err=0 nentries=1 text=
  • SRCH base="" scope=2 deref=0 filter="(DKIMSelector=C2AA288C-EE47-11E2-9BB0-E820BDD9BDBF)"
  • SRCH attr=DKIMDomain DKIMSelector DKIMKey

OpenLDAP and MBS

Verified Against: ZCS 7.0 ZCS 8.0 Date Created: 11/21/2013
Article ID: https://wiki.zimbra.com/index.php?title=LDAP_Architecture Date Modified: 2013-11-21



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search