Multiple Active Directory Zentyal Slaves

[Zadeet]

Good Day All

First off a big big thank you for a wonderful product - especially the solution that a combination of Zentyal/Zarafa and Active Directory provides for many of my customers who are no longer willing to fork out for the expense of Active directory/exchange. This solution provides practically everything most exchange users need, including connecting mobile devices(android/blackberry etc) with very little effort on my part. Sync with Active Directory on both server 2003 and 2008 works pretty much flawlessly for me.

Most of my customers are small and they can get buy with one physical server for all zentyal roles, but one specific customer requires isolated server roles for security reasons. What im saying is: totally isolated instances of zentyal mail, file sharing, astarisk, web server and so on. My immediate solution is proxmox with OpenVz containers for each separate process - no KVM available here - older hardware with no virtualization support. But now active directory user/group sync for all zentyal processes(openvz containers) what would the official zentyal way be of doing this, if it is possible? Configure one zentyal container, say "mail" as active directory slave, and all other containers as zentyal LDAP slaves syncing to active directory slave?

Any input and assistance will be greatly appreciated

Craig...

[ichat]

did you read this it should certainly be possible to add more than one slave this way and installing a module on top.

[Zadeet]

Hi Ichat, and thank you...

No ive never seen that configuration before, so im going to simulate in my lab now to see if it works out. I will post back my findings later...

Regards

Craig...

[Zadeet]

Success!!

In a virtual machine environment(proxmox openvz containers) i set up two zentyal VM's "mail" and "fileserver". I configured both as active directory slave and with a minimum of fuss they both synced with my server 2008R2 and pulled users and groups!

Thanks guys for zentyal - you rock!

How do i mark this post as solved, and does anybody have any queries with this configuration(logs and config files?) so i can pass on my successes to others?

Many many thanks

Craig

[vshaulsk]

Zadeet: This is an off topic question, but I have some questions for you about proxmox.

First a quick performance question:  As a file server I assume you are using virtual storage..... how is the performance with that.  (I have experience with virtualbox running on top of zentyal and I find that samba transfers are much slower from a VM then from the physical server.... I have many files ranging from 500 mb to 10 gig)

Second:  Are you running zentyal as the gateway on your proxmox??  I am thinking of splitting some of my services similar to how you have setup, but I am not sure how I would do such a thing and still have zentyal as my gateway.

Thank you:  Sorry for stealing the thread

[Zadeet]

Greetings Vshaulsk

No, im not using Zentyal as a gateway - i use Pfsense. Its generally considered a bad idea to virtualize your gateway/firewall/router, and o run as little services on it as possible. So i would rather suggest, keep your services such as web, mail, file sharing on a dedicated server running proxmox, and run a minimal zentyal or pfsense on a dedicated server as your gateway/router/firewall - much more secure due to less surface to attack.

Performance wise, in my limited tests with mixed files up to 2Gb, theres little performance loss - proxmox openvz containers effectively use host fiesystem for storage, whereas Virtuabox uses a VMDK file as storage ON TOP of host filesystem.

Really hope this is helpful to you.

Best regards

Craig

[vshaulsk]

Thank you !!!  It does help a lot and explains things I really needed to know !!!

[jsalamero]

The prefered way to manage this is to have AD <-> Zentyal LDAP master <-> Zentyal slaves. Cheers.

[Zadeet]

Hi Jsalamero and thank you

I wasnt very clear - that is in fact how I ended up configuring this project. When I allowed all the slaves to sync directly with the server 2008, only the very first server configured synced correctly. For some reason I didnt have time to look into, all the other slaves would only pull users and groups, but no passwords for users. So the ldap master route is working fine for me and im actually busy deploying this cofiguration at the customer as we speak.

Where can I find out more about how your plugin for the active directory server actually works?

Best Regards

Craig

[jsalamero]

Hi,

there is not much more documentation but the source code.

Regards,