On 11/19/20 2:49 AM, Paul B. Henson wrote:
Amazon's solution for that is to support HAProxy's proxy protocol in their load balancer:
https://www.haproxy.com/blog/haproxy/proxy-protocol/
Basically, this is an in band signaling mechanism that inserts an additional header in the initial connection data containing the original client IP address/source port and destination IP address/source port,
AFAICS this only works with HTTP and SMTP.
openLDAP does not support the protocol, and I was unable to find any past discussion of it.
LDAP uses BER-encoded ASN.1, not ASCII.
The LDAP session tracking extended control [1] can be used to pass the client's IP address of a proxied connection to the LDAP server. Currently slapd only logs the content of this control.
But it would have to be implemented in the proxy, here the AWS load-balancer. *And* slapd's ACLs would have to be extended to evaluate this.
Would be a nice feature for lloadd [2].
[1] https://tools.ietf.org/html/draft-wahl-ldap-session-03
[2] https://bugs.openldap.org/show_bug.cgi?id=8747
Ciao, Michael.