On Tue, Feb 04, 2025 at 11:12:57AM -0800, Ben Poliakoff wrote:
I've successfully set up haproxy with current openldap slapd backend instances, the ldap client IP is passed on to my slapd instances, and things like IP based ACLs work.
But now I'm exploring and comparing the features of the OpenLDAP lloadd backend. I've been using the embedded version, loading lloadd.a into slapd and I've been using the example configs from https://www.openldap.org/doc/admin26/loadbalancer.html as a starting point.
I'm consistently seeing these errors on the backend slapd:
Feb 4 10:45:33 test local4.debug slapd[508415]: proxyp(19): invalid header signature Feb 4 10:45:33 test local4.debug slapd[508415]: slapd(19): proxyp failed
And on the frontend slapd (running lload) I'm seeing these sorts of errors:
Feb 4 10:48:12 slapd-lb-a local4.debug slapd[271207]: operation_init: received a new operation, bind request with msgid=1 for client connid=6 Feb 4 10:48:12 slapd-lb-a local4.debug slapd[271207]: request_bind: connid=6, msgid=1 no available connection found
Hi Ben, the load balancer doesn't proxy a single client connection to a single backend, it chooses a connection to use for each request separately so it can't pass a proxy protocol header to the backend[0]. It still supports pldap(s):// on the listening side but there is little it can do with the information it received (apart from logging it).
When I compare the traffic between slapd w/lload and the backend slapd with traffic between haproxy and the same backend slapd, the main thing that I notice is that the slapd w/lload is doing a TLSv1 client hello whereas haproxy is doing a TLSv1.3 client hello.
Is it possible that the lloadd code doesn't support TLSv1.3? I'd be surprised if that were the case, since the same slapd happily supports client connections with TLSv1.3, but I can't figure out why it's only trying TLSv1.
I'm not aware of lloadd being unable to establish a TLSv1.3 connection, is this unrelated to the other configuration above?
[0]. Also these connections are established completely independently so there are often no clients around when that happens...
Regards,