Hi,
I work at a large organization and most of our applications use LDAP authentication. We currently have multiple Windows ADDS Servers for that purpose and each app points to a specific ADDS server.
We are currently trying to achieve high availability of the LDAP service through HAProxy and this is the configuration file:
frontend ldap_service_front
mode tcp
bind *:389
log global
option socket-stats
option tcplog
option tcpka
timeout client 120s
default_backend ldap_service_back
backend ldap_service_back
server ldap-1 ldapserver1:389 check fall 1 rise 1 inter 2s
server ldap-2 ldapserver2:389 check fall 1 rise 1 inter 2s
mode tcp
balance source
stick-table type ip size 200k expire 30m
stick on src
option tcpka
timeout server 120s
timeout connect 120s
The load balancing works for most our applications without any issues for basic authentication and quick LDAP queries. But one of our apps that fetches all users through pagination often struggles to keep the connection open until it retrieves all of the pages. Therefore we enabled the tcpka option to keep the connection open but it still fails sometimes.
When the app points directly to ldapserver1:389 or ldapserver2:389 it retrieves all of the users in less than 7 seconds but when it goes through haproxy it takes around 2 minutes to complete and it often fails.
Are we missing anything in the configuration file? How can we keep the connection open until it finishes the query and how can we match the response time that we have while going straight to the LDAP Servers?