Mapping information is required to establish the routing behavior in any Axigen cluster. The theory behind the mapping system is fairly simple: using the entry returned by the front-end query, the field referring to the mail host (back-end) is assigned as the destination system for that user’s session. The mapping data actually provides the information required by the front-end to decide what back-end holds the actual user account.
The mapping system performs this routing task in two basic ways:
-
Using a local user database mapping information is retrieved by parsing a locally defined file, containing all mapping patterns.
-
Using an LDAP directory mapping information is retrieved from the LDAP directory.
Both methods have the same result as long as they are configured properly. Mapping information is gathered using the Axigen User Map defined in the proxy configuration. The user map is used for routing and can also be used in the authentication process. The mapping system is one of the key elements in the front-end node configuration.
Local user maps are read from a file formatted in a specific way so that Axigen can interpret and retrieve information from it. Single entries can be provided for individual users as well as regular expressions to match and map multiple user accounts to the same back-end system. An LDAP directory is more recommended than the use of local files, because it is more productive while using a resource intensive setup such as a cluster.
An LDAP directory can be used to perform the authentication process too, so using it makes more sense in a complex setup because it helps keep track of front-end behavior from a central point. Most clusters will use LDAP or Active Directory to perform the mapping process and all that is required for this to work is setting up the routing property. It is a very straight forward method and is preferred because of the multiple advantages LDAP provides.
The mapping information is defined by selecting a user map in the proxy configuration. The selected user map will route connections to the back-end system using a local file or an LDAP directory.
While using an LDAP directory, the cluster engineer is presented with two possible connection options:
-
Password (Simple) should be used whenever the information held in the LDAP directory can be retrieved using a plain LDAP search. This would also include password fields that should be available in plain text (un-hashed).
-
Bind (Authenticated) is required only if the information stored in the directory tree has one or more fields that are hashed (such as DSA or RSA encrypted passwords). In this case only an authorized user can retrieve useful information.
Depending on the setup, both connections can be used in complete safety. However, some setups allow only bound connections. The most common example of such setup is Active Directory as it only allows authenticated users to search the directory tree and retrieve information.
While using a local file to define mapping information, in the user map configuration, the file path and name must be specified. In addition, Axigen must be able to access the file and read information from it. The local mapping file syntax is simple and flexible. The basic format of the local file used by the mapping system is:
Example:
In the above example, the account "user1" in the domain "example.tld" will be assigned the back-end with the IP address 192.168.20.3. The back-end system can also be specified with its domain name and its fully qualified domain name:
However, the above examples will also match the pattern "testuser1@example.tld" because the address contains the search pattern "user1@domain.tld". To prevent this behavior, regular expressions must be applied to the entry:
Using this format, the pattern will match only if the account name starts with the pattern entered. Using the above examples, any standard Perl regular expression can be designed to match the required accounts. This way, accounts can be mapped alphabetically, based on domain name and other types of criteria.
While setting up a cluster the mapping system must be configured carefully. The cluster engineer should make sure that for any particular search the results returned will not confuse the proxy services. If multiple entries are matched at the same time, only the first one will be taken into consideration. This can generate unexpected results for the end-users and can also generate other issues if multiple services depend on the cluster operation.
Custom mapping configurations can be used while migrating from previous setups. If the destination host already exists in the LDAP directory, the entry field (property) can be specified in the Axigen configuration to match it.
While using Active Directory, the routing property must be added manually for each of the users already defined by the domain administrator. Any of the unused attributes can be used to hold this information. The only consideration with this approach would be to use the same attribute for all users.