My Division at Rutgers University has recently re-engineered our email infrastructure using the Cyrus Imap "black-box" model with Novell NDS for Account Management. After considerable research and consideration of several commercial solutions, we have determined that NDS User Management, Netware file sharing, Cyrus Imap services, and the Horde/IMP Webmail package together will create an integrated system that will offer our users all the network services they need while maintaining a single point of administration across all platforms. To date, we have been extremely impressed with the scalabilty and flexibility of the Cyrus Imap server, and are moving forward with an expansion of our Cyrus/Novell/NDS/IMP combination running on a distributed server model (approx. 15 servers located on 3 separate campuses.) When finished, the system will be deployed to roughly 2000 users campus wide.
At the early stages of the system development, our original design was based on documentation that many of you are familiar with; documents describing how to implement enterprise email systems using combinations of different software packages. Minor changes had to be made to accommodate user authentication to our Novell NDS database through PAM. Currently, we use Novell exclusively for our departmental file sharing and such. Our user database is a little larger than 2000 users. When we designed the NDS database, we took special care to partition everything properly, to ensure the user management would be simple - we are not just providing access to email, but to distributed network applications, printers, shared directories and files, etc. Here is a general idea of what our NDS database looks like:
NDS Tree---
Organization(o)---
Department1(ou)---
Users(ou)
--Smith
--Jones
NetwareServer1
Department2(ou)---
Users(ou)
--Smith
--Butler
NetwareServer12
Department3(ou)---
Users(ou)
--Simpson
--Todd
NetwareServer13
Linux Server1(Cyrus)
Linux Server2(Cyrus)
You probably get the idea.
One great feature of Novell is that you can partition 1 physical server to actually appear to be 2 separate servers. For instance, in the model above, Department1-Server1 and Department2-Server2 are physically located on the same machine, but appear as 2 servers in the NDS directory. In addition, you will notice that user 'Smith' exists twice, as two distinct users - Smith.Users.Department1 and Smith.Users.Department2.
For our current model, we have 1 physical Linux Server for each Department that uses Cyrus Imap for email; Users.Department1 is on Linux Server1 and Users.Department2 is on Linux Server2. If you take Linux Server1, change PAM to use Ldap/NDS authentication, and modify the /etc/ldap.conf to point to ou=Users,ou=Department1,o=Organization, Users from Department1 have their Cyrus Mailboxes on Linux Server 1 and are able to get email simply by authenticating in an Imap Client as <username> <password>. Furthermore, mail delivery to Linux Server1 is simple because there are no duplicate usernames in the same context of the NDS tree.
It would make sense to be able to use 1 Cyrus server (properly partitioned) to serve multiple Departments, where user 'Smith' may be 2 distinct users from 2 contexts; i.e. Linux Server1 will serve users email for ou=Department1 and ou=Department2.
Two Questions:
1) What recommendations does anyone have to appropriately partition the Cyrus Server to handle this architecture and what configuration is necessary to ensure that when LinuxServer1 receives a message for [EMAIL PROTECTED], the mail is delivered to user.smith on the partition reserved for Depatment1, and when a message is delivered for [EMAIL PROTECTED], the correct delivery is also made?
2) Assuming 1 is possible, how will 2 users with the same username,
but different contexts, login to the same Cyrus Imap server and enter the
appropriate mailbox...
username = <username.users.department.organization>
(NDS Context Model)
or
username = <user@domain> (Domain Model)
Any comments/suggestions/help would be greatly appreciated.
-John
______________________________________________
John C. Amodeo, Associate Director
Information Technology and Computer Operations
Faculty of Arts & Sciences, Rutgers University
732.932.9455-voice 732.932.0013-fax
