When we at Orange decided to renew our e-mail platform, we could not yet know that we would celebrate the successful end of migration on the 5th of July 2022 in our headquarters in Paris with more than 200 guests. We initiated the project back in 2014 and are now able to look back on eight years of successful cooperation with Univention that led to our new e-mail platform. Its main components are the e-mail back-end solution Dovecot, the groupware Open-Xchange as webmail and PIM solution, and the identity management Univention Corporate Server (UCS), which today manages the user identities of about 13 million active mailboxes.
In this blog article, we would like to tell you how we got here – starting with our expectations and motivation for the project and the cooperation with Univention, and ending with challenges, how we tackled them and what we plan to do next. Let’s turn back the clock and take a look at the first important steps that we took at Orange to get the project up and running!
Table of Contents
Starting Point: When We Knew that Change Was Coming
Our main motivation to start this complex and years-long project was the continuous growth of the platform and the no longer up-to-date software stack. That was partly because the system had to map an extremely large number of accesses to the LDAP directory service, which lead up to huge number of changes in the objects stored there every day. At the same time, our IT managers valued high reliability: We wanted to operate in two mirrored data centers in Paris in the event of technical problems. Additionally, it should be possible for our IT to replace the servers during operation with little downtime .
Since it was not possible to migrate the millions of user accounts at once, a step-by-step approach has been introduced which needed high scalability of the system for the gradual migration of e-mail accounts. The IT managers of the project also wanted flexible roles both for delegative administration and for the content of LDAP replicas (dedicated LDAP clusters per connected service). Finally, high data protection requirements had to be met – just another challenge we had to overcome.
Expectations and Motivation: Complete Overhaul of the E-Mail Platform
After it had become clear that a renewal of the old system was necessary, we jointly defined the requirements we had for the new platform:
- Ability to manage 13 million active user identities
- The directory service must handle more than a hundred thousand simultaneous requests
- Delegated administration and scalable notifications
- API compatibility with existing systems
- Highly scalable for gradual user data migration
Our solution for the complete overhaul of the platform – which fulfilled all of the above requirements – included the following:
- UCS utilizing integrated OpenLDAP as an identity management for the millions of users using Orange mail accounts at that time
- Creating a stable LDAP cluster capable of handling numerous simultaneous requests
- Implementing SOAP interfaces and provisioning and notification plug-ins for external APIs
- Integrating Open-Xchange, Dovecot, a provisioning router and broker from Tarent, and many Orange-specific services
Finding the Perfect Solution: Why We at Orange Decided to Use UCS
Although there were other competitive products, we knew we had found the best solution for Orange when we first discovered UCS from Univention that was recommended by Open-Xchange with which we at this time had already started modernizing our e-mail offering. We were quickly convinced that using UCS would enable flexible roles and rights mapping, both at the level of delegative administration and for selective replication of the LDAP servers.
However, the possibilities offered by UCS for a scalable notification system as well as the existing and expandable interfaces were relevant as well, since UCS had to harmonize with the already existing system. Last but not least, it was very important for us to work with a company that allows us to develop a sincere partnership. This was just one more reason to work with Univention, Open-Xchange and Dovecot for this project, as they valued partnership as we did. Moreover, these three companies were able to provide consistent individual consulting as well as product support and ensure the consequent implementation of sub-projects during the course of the project.
Challenges & Solutions: Identifying Bottlenecks and Opportunities
Looking back at the whole project implementation, the biggest challenge was the sheer size of the project environment. While in typical UCS projects at this time about 200,000 objects were stored in the LDAP database, Orange maintained more than 13,000,000 active objects. UCS had not yet been used in a project of this size, even though Univention knew that the technical possibilities were available.
To cope with the large amounts of data and high system loads, LDAP clusters were chosen, which were set up as a group of UCS Replica Directory Node instances with an identical subset of LDAP objects/attributes. The configuration of the database indexes, the implemented LDAP queries and the sizing of the server systems had to be coordinated in detail for these clusters. The operation of the system was distributed over two physical locations.
Another challenge was to create a system that is API-compatible with the already existing system, Univention’s project team had to implement several specific SOAP interfaces. It was also necessary to generate provisioning or notification plug-ins for many external APIs. These APIs are part of an extended notification system specifically for the project based on Univention Directory Manager and complementary tools such as RabbitMQ.
Summary & Outlook: Taking a Look at the Project History and Future Plans for Orange
Univention took over the IAM in our e-mail back-end, and from 2014 on, our IT department migrated all these mailboxes into UCS. The first project release with full functionality could already be delivered in 2015. Over the course of the following year, the solution was expanded with additional functions and server roles and numerous performance tests were carried out to ensure that the system would withstand the expected extremely high workloads. At the end of 2016, the system went live with the full range of managed identities.
Since then, e-mail accounts have been gradually migrated to the new system. In addition, new requirements, such as stricter data protection regulations or new provisioning workflows, are continually being implemented. Thanks to the stability, reliability, and scalability of the new system, the commissioned 24/7 support seldom had to be used.
We started this project eight years ago, a long period of time due to the unusual amount of data in the mailboxes. So the migration into Univention’s LDAP was not the bottleneck, but the migration of the mailbox contents. Together we managed to find a solution and take the strain from the system.
In the future, we plan to migrate the project’s environment to UCS 5 and look forward to the ongoing good cooperation with Univention and its technical teams.