Messaging Gateway

 View Only
Back to discussions
Expand all | Collapse all

LDAP Sync Issues Brightmail Gateway 8.0 (Virtual Appliance)

  • 1.  LDAP Sync Issues Brightmail Gateway 8.0 (Virtual Appliance)

    Posted Apr 13, 2009 10:25 AM
    Hi again,

    I'm having issues setting up LDAP Sync.  I have set up LDAP Authentication fine and it's working great!  However, when I try to set up a LDAP Sync server I receive the following error after about 30mins of waiting:

    "Connection to the synchronization service timed out while adding a synchronization process. The base DN of the LDAP source may contain too many entries, please increase the connection timeout value or trim down the source's size"

    I have even tried drilling down to an OU that only contains 20 objects and it still takes just as long and it still errors out.  I have also ran a NETMON from my LDAP server and hit "save" on the LDAP setup page and I've watched the communication between my gateway and the LDAP server... it just seems that the gateway isn't doing anything with the information my LDAP is sending it.

    Any suggestions?


  • 2.  RE: LDAP Sync Issues Brightmail Gateway 8.0 (Virtual Appliance)
    Best Answer

    Posted Apr 13, 2009 12:04 PM

    I know this may not be a fix, but have you tried to use "Recipient Validation" in stead of Synchronization to see if this exhibits the same behavior?

    The difference here is that Recipient Validation does an "on the fly" lookup in stead of relying mainly on the synchronized data pulled over to the scanners.

    Let us know if this does the same thing, of if it acts any differently. I would be curious as to whether it is going to act the same or not.

    Thanks!



  • 3.  RE: LDAP Sync Issues Brightmail Gateway 8.0 (Virtual Appliance)

    Posted Apr 13, 2009 12:26 PM
    Recipient Validation worked fine as well... at this point it's just the Sync that is failing.


  • 4.  RE: LDAP Sync Issues Brightmail Gateway 8.0 (Virtual Appliance)

    Posted Apr 13, 2009 12:38 PM
    Would you be comfortable just using Recipient Validation in stead of Synchronization? Having both enabled is somewhat of a redundancy.

    We still have both options depending on how customers want to use the feature. But they are largely the same.

    Let me know.


  • 5.  RE: LDAP Sync Issues Brightmail Gateway 8.0 (Virtual Appliance)

    Posted Apr 13, 2009 12:42 PM

    Would you be comfortable just using Recipient Validation in stead of Synchronization? Having both enabled is somewhat of a redundancy.

    We still have both options depending on how customers want to use the feature. But they are largely the same.

    Let me know.

    What kind of performance impact is their against the LDAP server using Recipient Validation vs. Sync?  I'm assuming Recipient Validation pegs the server whenever it needs to query LDAP vs. a Sync only hitting the Scanner LDAP databases.

    We process close to 150,000 messages a day.



  • 6.  RE: LDAP Sync Issues Brightmail Gateway 8.0 (Virtual Appliance)

    Posted Apr 13, 2009 12:53 PM

    I don't really have numbers on that or comparison charts on overhead to your LDAP server personally, (Maybe someone else here might have something like that) but from what I have heard, it's not bad at all.

    You would be correct in that it will query LDAP when messages come in, but the good thing about that is that you don't run in to the issues inherant with Synchronization. (IE dropping good messages because users haven't synced.) From what I have been hearing, the Recipient Validation feature has been working really well.

    Is your LDAP in-house? If so, regardless of whether you are having issues with Sync, I would recommend Recipient Validation anyways if you can get away with it.



  • 7.  RE: LDAP Sync Issues Brightmail Gateway 8.0 (Virtual Appliance)

    Posted Apr 13, 2009 01:21 PM

    Last question for your Tom.  If I go the RV route insteady of Sync, can multiple LDAP servers be configured for the validation... if so does it load balance between them or is it just first available?



  • 8.  RE: LDAP Sync Issues Brightmail Gateway 8.0 (Virtual Appliance)

    Posted Apr 13, 2009 01:32 PM
    You can have multiple Sync or RV sources. The only restriction here is that you can only have one Authentication source. Also I don't believe we have load balancing within the program so it should be first available. The only way I have seen this done is with an aliased server name and load balanced externally.

    Thanks!


  • 9.  RE: LDAP Sync Issues Brightmail Gateway 8.0 (Virtual Appliance)

    Posted Apr 13, 2009 01:35 PM
    Thanks Tom!


  • 10.  RE: LDAP Sync Issues Brightmail Gateway 8.0 (Virtual Appliance)

    Posted May 07, 2009 03:18 PM
    If I have mulitpe RV sources,

    1. will they load balance?

    2. I host multiple domains with users in seperate ADs.  If RV #1 -> domain1 and RV #2 -> domain2, will SBG try RV1, and if it fails check RV2?


  • 11.  RE: LDAP Sync Issues Brightmail Gateway 8.0 (Virtual Appliance)

    Posted May 07, 2009 03:21 PM
    This isn't a solution if you are using Sync so you can populate Groups that you will use in association with Compliance Policies.  SBG's LDAP sync is HORRID.  I have a A/D with 80k users in it and it can take 6 hours to sync and fails about 40% of the time.  If I let it sync groups, it NEVER works, as i have thousands of AD groups.


  • 12.  RE: LDAP Sync Issues Brightmail Gateway 8.0 (Virtual Appliance)

    Posted May 08, 2009 05:04 AM

    1. If you have multiple recipient validation sources they don't load balance, the query will run on the first source and if it can't find an answer it will check the second source.

    2. Yes, think this is answered in question 1.