HAProxy OpenLDAP transparent


#1

Hy,
I use HAProxy for LDAP with two nodes.
My problem is that connection logs in LDAP server show IP address from HAProxy but not of clients.

I saw that it is possible two forward address in HTTP mode but i didn’t find for TCP mode.
My configuration is :

defaults
log global
option tcplog
option dontlognull

LDAP

frontend ldap_service_front
mode tcp
bind *:389
description LDAP Service
option socket-stats
option tcpka
timeout client 300s
default_backend ldap_service_back

backend ldap_service_back
option ldap-check
server ldap-ha1.domain.com 192.168.0.10:3899 check addr 192.168.0.10
server ldap-ha2.domain.com 192.168.0.11:3899 check addr 192.168.0.11
mode tcp
balance leastconn
timeout server 300s
timeout connect 1s

Have you any idea for connection being transparent sending clients IP address to LDAP Server ?

Best Regards


#2

What you need(And maybe don’t want) is Tproxy…

You’ll probably need to switch to a two arm config(or solve the routing issue for local clients) but this will make HAproxy fully source IP transparent.


#3

You can try “send_proxy” option which is tcp equivalent of HTTP “forwarded for” header. Check if openldap is able to handle it.

backend ldap_service_back
option ldap-check
server ldap-ha1.domain.com 192.168.0.10:3899 check addr 192.168.0.10 send_proxy
server ldap-ha2.domain.com 192.168.0.11:3899 check addr 192.168.0.11 send_proxy
mode tcp
balance leastconn
timeout server 300s
timeout connect 1s


#4

Thanks for answering.
I already tried it but it seems not to work for OpenLDAP.
I don’t see source IP in OpenLDAP logs.