Ldap check fail

nbanik · November 2, 2021, 1:50pm

Hello Experts,
I’ve below config for ldap:

listen bl-ldap
 bind 127.0.0.1:389
 balance roundrobin
 mode tcp
 option ldap-check
 server srv1 172.16.6.91:389 check inter 10s
 server srv2 172.16.1.51:389 check inter 10s
 server srv3 172.16.6.141:389 check inter 10s

But haproxy says all server down:

bl-ldap,srv1,0,0,0,0,,0,0,0,,0,,0,0,0,0,DOWN,1,1,0,1,1,704,704,,1,12,1,,0,,2,0,,0,L7RSP,,1,,,,,,,,,,,0,0,,,,,-1,Not LDAPv3 protocol,,0,0,0,0,,,,Layer7 invalid response,,2,3,0,,,,172.16.6.91:389,,tcp,,,,,,,,
bl-ldap,srv2,0,0,0,0,,0,0,0,,0,,0,0,0,0,DOWN,1,1,0,1,1,704,704,,1,12,2,,0,,2,0,,0,L7RSP,,6,,,,,,,,,,,0,0,,,,,-1,Not LDAPv3 protocol,,0,0,0,0,,,,Layer7 invalid response,,2,3,0,,,,172.16.1.51:389,,tcp,,,,,,,,
bl-ldap,srv3,0,0,0,0,,0,0,0,,0,,0,0,0,0,DOWN,1,1,0,1,1,704,704,,1,12,3,,0,,2,0,,0,L7RSP,,1,,,,,,,,,,,0,0,,,,,-1,Not LDAPv3 protocol,,0,0,0,0,,,,Layer7 invalid response,,2,3,0,,,,172.16.6.141:389,,tcp,,,,,,,,

But in tcpdump, i see bind request and reply is success.

Why haproxy is reported all ldap servers are down, despite having success response in health check.

Pls help.

lukastribus · November 2, 2021, 7:11pm

This is probably a bug, but we will need to analyze the entire pcap file. Can you file an issue with that at github (along with the other outputs requested from the bug template form):

nbanik · November 3, 2021, 6:39am

Reported accordingly.

github.com/haproxy/haproxy

Ldap check fail

opened 06:38AM - 03 Nov 21 UTC

closed 08:47AM - 26 Nov 21 UTC

bantify

type: bug status: duplicate

### Detailed Description of the Problem Hello Experts, I’ve below config f…or ldap: ``` listen bl-ldap bind 127.0.0.1:389 balance roundrobin mode tcp option ldap-check server srv1 172.16.6.91:389 check inter 10s server srv2 172.16.1.51:389 check inter 10s server srv3 172.16.6.141:389 check inter 10s ``` But haproxy says all server down: ``` bl-ldap,srv1,0,0,0,0,,0,0,0,,0,,0,0,0,0,DOWN,1,1,0,1,1,704,704,,1,12,1,,0,,2,0,,0,L7RSP,,1,,,,,,,,,,,0,0,,,,,-1,Not LDAPv3 protocol,,0,0,0,0,,,,Layer7 invalid response,,2,3,0,,,,172.16.6.91:389,,tcp,,,,,,,, bl-ldap,srv2,0,0,0,0,,0,0,0,,0,,0,0,0,0,DOWN,1,1,0,1,1,704,704,,1,12,2,,0,,2,0,,0,L7RSP,,6,,,,,,,,,,,0,0,,,,,-1,Not LDAPv3 protocol,,0,0,0,0,,,,Layer7 invalid response,,2,3,0,,,,172.16.1.51:389,,tcp,,,,,,,, bl-ldap,srv3,0,0,0,0,,0,0,0,,0,,0,0,0,0,DOWN,1,1,0,1,1,704,704,,1,12,3,,0,,2,0,,0,L7RSP,,1,,,,,,,,,,,0,0,,,,,-1,Not LDAPv3 protocol,,0,0,0,0,,,,Layer7 invalid response,,2,3,0,,,,172.16.6.141:389,,tcp,,,,,,,, ``` But in tcpdump, i see bind request and reply is success. Tcpdump is attached Why haproxy is reported all ldap servers as down, despite of having success response in health check. Pls help ![Capture](https://user-images.githubusercontent.com/48762403/140018173-f416a4c7-e526-4e81-80a6-0367a8301915.JPG) [gzp-qv-pprod-webapp8.qvblkipa.local-20211102-20h05m15o.zip](https://github.com/haproxy/haproxy/files/7465687/gzp-qv-pprod-webapp8.qvblkipa.local-20211102-20h05m15o.zip) ### Expected Behavior ldap check should be success. ### Steps to Reproduce the Behavior configure and see the echo "show stat" | nc -U /var/lib/haproxy/stats| grep ldap ### Do you have any idea what may have caused this? _No response_ ### Do you have an idea how to solve the issue? _No response_ ### What is your configuration? ```haproxy listen bl-ldap bind 127.0.0.1:389 mode tcp balance roundrobin server srv1 172.16.6.91:389 check fall 1 rise 1 inter 10s server srv2 172.16.1.51:389 check fall 1 rise 1 inter 10s server srv3 172.16.6.141:389 check fall 1 rise 1 inter 10s ``` ### Output of `haproxy -vv` ```plain [root@gzp-qv-pprod-webapp8 tmp]# /opt/haproxy/usr/local/sbin/haproxy -vv HA-Proxy version 1.8.21 2019/08/16 Copyright 2000-2019 Willy Tarreau <willy@haproxy.org> Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_OPENSSL=1 USE_SYSTEMD=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017 Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2 Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Encrypted password support via crypt(3): yes Built with multi-threading support. Built with PCRE version : 8.32 2012-11-30 Running on PCRE version : 8.32 2012-11-30 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with zlib version : 1.2.7 Running on zlib version : 1.2.7 Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with network namespace support. Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available filters : [SPOE] spoe [COMP] compression [TRACE] trace [root@gzp-qv-pprod-webapp8 tmp]# ``` ### Last Outputs and Backtraces _No response_ ### Additional Information _No response_

Thanks

nbanik · December 17, 2023, 5:32pm

fixed in
ldap-check does not work against Active Directory · Issue #1390 · haproxy/haproxy · GitHub

Topic		Replies	Views
Haproxy load balancing fail Help!	1	187	December 17, 2023
HAProxy L4 VIP for LDAP backend Help!	3	49	July 26, 2024
HAProxy for LDAP Servers Help!	0	346	August 24, 2023
Haproxy + keepalived + ldap Help!	0	385	February 12, 2023
Connection reset for LDAPS Help!	2	776	June 6, 2023

Ldap check fail

Related topics