Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » open directory outage
  •  
tpyro

Messages: 14
Karma: 0
Send a private message to this user
We're about to have the carpets replaced in our server room so we'll need to unplug all of our servers for several hours while the work is done. Our KMS is running on a tower computer so we can simply move it to another location with minimal downtime. The problem is that we authenticate against an Open Directory server which is mounted in a rack along with a RAID, UPS, etc. It is not feasible to just move this rack somewhere else and power it up.

We have at least one critical mail account that needs to remain available. I understand that we can delete an OD-associated account and recreate it locally on the Kerio server, provided we're careful not to delete the message store. Is there any risk in doing this adjustment to a few accounts, leaving the server running while OD is inaccessible?

Will incoming messages still be accepted for the other accounts (which remain linked to OD)?

Also very important: will the UIDVALIDITY be preserved in the converted accounts? Some of these are large mailboxes accessed over slow connections. It would defeat the purpose if these inboxes had to be rebuilt.
  •  
InterHmai

Messages: 35
Karma: 0
Send a private message to this user
We're still on 6.7.2 here, but from my own past experience, when KMS is unable to reach a suitable OD server, no one is able to log in at all regardless of authentication type.

You really need an OD replica available for this type of situation, or any situation just in case your OD master fails.
  •  
marook

Messages: 520

Karma: 3
Send a private message to this user
Hi,

Converting the account from OD to Local will NOT log that user out! ONLY OD users will not be able to log in if the OD does not authenticate them!
@InterHmai: Does your Admin account also stop working?? Nope...

Delete user, KEEP message store, Create User as Local, same shortname = account back online, with password set during creation.
Since the messagestore for the user is not touched, the remote email client should not see any change.
This will only happen if you migrate the account over from another email server!

PS: Why in the world do you have Carpets in your server room!!!!!????? (They make dust that break your servers!)
I hope it's a new vinyl floor or 'linolium' or something.. Wink

Regards,

Jakob Peterhänsel
Consultant - Humac A/S

Apple Certified Support Professional (ACSP)
Apple Certified Technical Coordinator (ACTC)
AppleSeed/CQF member since 1998
Kerio Messaging Partner
  •  
tpyro

Messages: 14
Karma: 0
Send a private message to this user
I tested one account earlier, exactly the way marook describes. It worked perfectly, but InterMhai's post is making me rethink this. Converting one account doesn't fully simulate the move. KMS will start accumulating open/unanswered queries to the OD server and who knows if it can handle this gracefully. I've seen web servers lock up under similar circumstances ("too many open files"). Unless we get a strong confirmation that KMS can handle this, we'll have to make other arrangements. Thanks, both.

  •  
InterHmai

Messages: 35
Karma: 0
Send a private message to this user
We recently converted from local kerio accounts to OD accounts, not all at the same time.

So for a while, we had a mix of local and OD accounts.

When our OD master/replica servers were inaccessible, kerio would just choke and not authenticate any users at all. If i remember correctly, it also bounced all emails saying the user did not exist. Admin access still worked through the console, but was very slow. After the OD server came back, things were back to normal.

Anyway, its pretty easy to test quickly if you just turn off your OD server temporarily and see how kerio will react. Maybe at night or when email traffic is low.
  •  
marook

Messages: 520

Karma: 3
Send a private message to this user
Ok, let's get the Facts right here:

OD/AD accounts does NOT have any passwords stored/cached in Kerio, so Kerio does NOT 'choke' if you OD is down - it simply just can't validate your password, since the Directory is not responding - that's why Replicas where invented.. Smile

Local accounts should NEVER be affected by a directory that is down.
Are you sure the admin login was not simply because you typed wrong?? Wink (I've done this myself.. to eager to get in..)

Anyway, any login attempts that goes wrong is logged in the Security log.. have a look there!


User Authentication issues will NEVER influence delivery to the account!
If the account is there, is Active, and not over Quota, mail is delivered to it! Incoming mails is never checked against a pasword - how should Kerio do so?? It does not have the password!

Comprende? Wink

Regards,

Jakob Peterhänsel
Consultant - Humac A/S

Apple Certified Support Professional (ACSP)
Apple Certified Technical Coordinator (ACTC)
AppleSeed/CQF member since 1998
Kerio Messaging Partner
Previous Topic: KC and virus gateway
Next Topic: Do I need to upgrade the OD extensions for point updates?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Oct 18 15:03:01 CEST 2017

Total time taken to generate the page: 0.00387 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.