HAProxy for LDAP Servers


I work at a large organization and most of our applications use LDAP authentication. We currently have multiple Windows ADDS Servers for that purpose and each app points to a specific ADDS server.

We are currently trying to achieve high availability of the LDAP service through HAProxy and this is the configuration file:

frontend ldap_service_front
    mode                  tcp
    bind                  *:389
    log                   global
    option                socket-stats
    option                tcplog
    option                tcpka
    timeout client        120s
    default_backend       ldap_service_back

backend ldap_service_back
    server                ldap-1 ldapserver1:389 check fall 1 rise 1 inter 2s
    server                ldap-2 ldapserver2:389 check fall 1 rise 1 inter 2s
    mode                  tcp
    balance               source
    stick-table           type ip size 200k expire 30m
    stick                 on src
    option                tcpka
    timeout server        120s
    timeout connect       120s

The load balancing works for most our applications without any issues for basic authentication and quick LDAP queries. But one of our apps that fetches all users through pagination often struggles to keep the connection open until it retrieves all of the pages. Therefore we enabled the tcpka option to keep the connection open but it still fails sometimes.

When the app points directly to ldapserver1:389 or ldapserver2:389 it retrieves all of the users in less than 7 seconds but when it goes through haproxy it takes around 2 minutes to complete and it often fails.

Are we missing anything in the configuration file? How can we keep the connection open until it finishes the query and how can we match the response time that we have while going straight to the LDAP Servers?