[Users] June 16, 2020 Zeta Alliance Conference Call Summary

Randy Leiker randy at skywaynetworks.com
Fri Jun 19 07:42:46 CEST 2020 

Hello Zeta Alliance Community, 

Here is a summary of this week’s conference call. A few brief reminders: 


    * Conference calls are every Tuesday and open to all using either the FreeConferenceCall.com VoIP app or via a dial-in number: [ https://www.freeconferencecall.com/wall/zetalliance | https://www.freeconferencecall.com/wall/zetalliance ] 
    * Each week’s call agenda can be found at: [ https://docs.google.com/document/d/1uUUDJpwp2CAylU6lxtbEdVcUX_qSbciyes6gLTWw2fY/edit | https://docs.google.com/document/d/1uUUDJpwp2CAylU6lxtbEdVcUX_qSbciyes6gLTWw2fY/edit ] 
    * A copy of each week’s summary is also posted to the Zimbra Forums: 
        * April 2020 : [ https://forums.zimbra.org/viewtopic.php?f=9&t=68073 | https://forums.zimbra.org/viewtopic.php?f=9&t=68073 ] 
        * May 2020 : [ https://forums.zimbra.org/viewtopic.php?f=9&t=68214 ] [ https://forums.zimbra.org/viewtopic.php?f=9&t=68214 | https://forums.zimbra.org/viewtopic.php?f=9&t=68214 ] 
        * June 2020 : [ https://forums.zimbra.org/viewtopic.php?f=9&t=68342 | https://forums.zimbra.org/viewtopic.php?f=9&t=68342 ] 
    * Constructive feedback on these call summaries is always welcome. 

June 16, 2020 Conference Call Summary 

Using MMR And SSDB To Balance LDAP Write Requests In Zimbra 
Marc G. shared a problem he recently encountered where his LDAP servers in Zimbra became overwhelmed with write requests, eventually leading to the LDAP servers becoming non-responsive, and user authentication requests for mailbox access failing. He described his current LDAP topology as one primary (master) server, which handles read + write requests, and one secondary (slave) server, which handles read-only requests. 

To better manage heavy write loads, Marc asked if it is better to use the multi-master replication (MMR) feature, or if it is better to use the SSDB support, both of which are available in Zimbra 8.8.x and newer. For the best performance, resiliency, and scalability, John E. said that it is optimal to use MMR, combined with read-only LDAP replicas and SSDB. He explained that the most important component is MMR, as it provides HA (high availability) for the Zimbra LDAP service, ensuring that there are at least 2 or more LDAP servers that can handle read and write requests, and ensures that users can always authenticate for mailbox access. When combined with LDAP replicas, this allows for Zimbra to send only write requests to the LDAP MMR servers, and all read-requests to the LDAP replicas. If SSDB servers are used, this further removes write loads from the MMR servers, as SSDB is specifically built to perform well with heavy write loads, whereas OpenLDAP generally performs poorly with frequent write requests. John said that since SSDB stores ephemeral (briefly stored) data in Zimbra, such as authentication tokens, CSRF tokens, and last login time stamps, if the SSDB servers should fail, Zimbra will still work, but at the cost of forcing already authenticated users to re-authenticate to continue accessing their mailboxes. As compared to losing all of the LDAP servers, Zimbra will no longer work, and no mailbox access is possible until the LDAP servers are recovered. John said that it is not essential to setup SSDB with HA, and in cases where a single SSDB server is used, there should at least be a process that monitors the SSDB server and restarts it, if needed. He also pointed out that when a customer contacts Zimbra Support regarding an LDAP performance issue, Support will frequently ask the customer to disable the last login time stamp and CSRF tokens, especially if an SSDB server is not yet part of a customer’s Zimbra topology. 

John E. also mentioned that the OpenLDAP project originally did not support HA, but in working with Zimbra during the early part of its history, the OpenLDAP and Zimbra teams collaborated to effectively bolt on HA capabilities in OpenLDAP. 

For a more in-depth explanation of the MMR, LDAP replica, and SSDB options, refer to: 


    * [ https://wiki.zimbra.com/images/3/32/EphemeralData.pdf | https://wiki.zimbra.com/images/3/32/EphemeralData.pdf ] 
    * [ https://zimbra.github.io/zimbra-9/zdminguide.html#_ssdb_installation_and_configuration | https://zimbra.github.io/zimbra-9/zdminguide.html#_ssdb_installation_and_configuration ] 
    * [ https://wiki.zimbra.com/wiki/LDAP_Multi_Master_Replication | https://wiki.zimbra.com/wiki/LDAP_Multi_Master_Replication ] 

Zimbra’s Compatibility with Redis 
Marc G. said that since the Zimbra Administration Guide specifies that a Redis-based client is used to interact with SSDB, he wondered if he could use his existing Redis infrastructure. John E. said that it might work, but recommended testing it carefully. He said that getting SSDB setup in HA is relatively easy, but setting up HA with Redis may be more involved. 

Split-Brain When Using OpenLDAP In A MMR Configuration 
Mark S. shared an experience he had with another Zimbra installation he used to operate where he had two master LDAP servers become out of sync with each other, leading to a split-brain situation. To correct it, he said he compared the two LDAP databases side-by-side using a third-party LDAP tree visualization tool, which he used to see which LDAP values on either server were newer. He then cloned one of the LDAP master servers, and for each LDAP key value, set the newly re-built master LDAP server to those newest values from the prior two LDAP servers experiencing the split-brain issue. 

Built-In Versus External Support For SSDB In Zimbra 
Mark S. said that his only concern about SSDB is that Zimbra does not directly support it, since it is up to the Zimbra administrator to separately provision their own SSDB servers, and SSDB is not distributed with Zimbra. John E. said that Mark should raise this point with Zimbra and that not using SSDB creates more risk for LDAP, since intensive writes to LDAP servers are known to create problems. 

Free/Busy Issue Resolved 
Noah reported that an earlier issue he encountered with the Free/Busy feature in the Zimbra Connector for Outlook, as described at: [ https://wiki.zimbra.com/wiki/Free_Busy_-_Troubleshooting#Free.2FBusy_issue_from_Zimbra_Connector_for_Outlook_.28ZCO.29_.3D | https://wiki.zimbra.com/wiki/Free_Busy_-_Troubleshooting#Free.2FBusy_issue_from_Zimbra_Connector_for_Outlook_.28ZCO.29_.3D ] has been successfully resolved as of 8.8.15 Patch 9 and 9.0 Patch 2. 

Feedback On Using ActiveSync 16.1 In Zimbra 
Mark S. reported that after installing 8.8.15 Patch 10, he enabled ActiveSync 16.1 support for his clients, while keeping Samsung devices on ActiveSync 2.5, and said there has been no issues. He said a few clients needed to do a full re-sync of their mailboxes on their phones, with the clients that were mainly affected were those with large mailboxes (25+ GB mailboxes). For those clients, he had each client delete their Exchange profile on their phone, then re-add the profile, followed by allowing a lot of time for the re-synchronization of the mailbox to complete on the client’s phone. 

As discussed in the May 5th call summary ( [ http://forums.zimbra.com/viewtopic.php?f=9&t=68214&sid=b6884f0de683515b942be850656c0071#p297273 | http://forums.zimbra.com/viewtopic.php?f=9&t=68214&sid=b6884f0de683515b942be850656c0071#p297273 ] ), proceed carefully when performing a global upgrade/downgrade of the ActiveSync version for your clients to ensure a smooth transition to the new global ActiveSync version. 


Randy Leiker ( randy at skywaynetworks.com ) 
Skyway Networks, LLC 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20200619/21e5f585/attachment.html>

More information about the Users mailing list