HAProxy community

Good setup for LDAP backend


I am looking for a a proper configuration for a LDAP backend, so far I have:

frontend ldap_service_front
    mode                  tcp
    log                   global
    description           LDAP Service
    option                socket-stats
    option                tcplog
    option                tcpka
    timeout client        5s
    default_backend       ldap_service_back

backend ldap_service_back
    server                ldap-1-test ldap1test.embl.de:389 check fall 1 rise 1 inter 2s
    server                ldap-2-test ldap2test.embl.de:389 check fall 1 rise 1 inter 2s
    mode                  tcp
    balance               roundrobin
    stick-table           type ip size 200k expire 30m
    stick                 on src
    option                tcpka
    option                ldap-check
    timeout server        2s
    timeout connect       1s

But when I browse the LDAP servers with the Apache LDAP browser, it seems that every one or two checks it close connection and open a new one, so it is impossible to browse it.

I wouldn’t like to bind the source IP to a specific backend node, since I will have so many different clients that will act on differents way, some of them will just open a connection, get some attributes and close it, but some others will open a LDAP connection and will fetch several attributes and afterwards will close is.
So I am somehow looking for some persistency. Well, I am open to any suggestion.




Have you tried increasing:

    timeout server        2s
    timeout client        5s

They seem fairly low to me.

Sorry for all the edits, I misread at first…


Wow, that is great you pointed this out so quickly, you are right, now don’t get disconnected. :slight_smile:

Do you know how I should tweak them to the right value?



I’m glad it helped.

Basically, you would set these to the maximum length of inactivity that you would like an ESTABLISHED TCP connection to last. Generally, it’s a good idea to set the “timeout server” value like 1s longer than the “timeout client” value but that’s just best practice.


Perfect. Thanks a lot.

Now I am just wondering how to handle sessions in LDAP. I have clients that open a connection, do query and close them, but I also have some others that open a connection and keep it open while they are doing several queries and then they close it. So I am just wondering how would be the best way to handle those openldap sessions and spread the load over all openldap backend servers having a shared session storage. Is that even possible for non web apps?

Best regards.


Hmm, you could try disabling “stick on src” which will allow each TCP connection to hit a different backend, it works on a per connection basis rather than at the packet level withhout persistence so one LDAP bind will hit one server while the next attempt from the same client may hit the other server.

I think that should be okay with LDAP and a common backend but to be sure I’d suggest trying it.


Thanks, I’ve tested this and it seems to work, however we will need to test all possible clients to see how each of them handles a connection.