I've successfully set up haproxy with current openldap slapd backend instances, the ldap client IP is passed on to my slapd instances, and things like IP based ACLs work.

But now I'm exploring and comparing the features of the OpenLDAP lloadd backend. I've been using the embedded version, loading lloadd.a into slapd and I've been using the example configs from https://www.openldap.org/doc/admin26/loadbalancer.html as a starting point.

I'm consistently seeing these errors on the backend slapd:

Feb  4 10:45:33 test local4.debug slapd[508415]: proxyp(19): invalid header signature
Feb  4 10:45:33 test local4.debug slapd[508415]: slapd(19): proxyp failed

And on the frontend slapd (running lload) I'm seeing these sorts of errors:

Feb  4 10:48:12 slapd-lb-a local4.debug slapd[271207]: operation_init: received a new operation, bind request with msgid=1 for client connid=6
Feb  4 10:48:12 slapd-lb-a local4.debug slapd[271207]: request_bind: connid=6, msgid=1 no available connection found

When I compare the traffic between slapd w/lload and the backend slapd with traffic between haproxy and the same backend slapd, the main thing that I notice is that the slapd w/lload is doing a TLSv1 client hello whereas haproxy is doing a TLSv1.3 client hello.

Is it possible that the lloadd code doesn't support TLSv1.3? I'd be surprised if that were the case, since the same slapd happily supports client connections with TLSv1.3, but I can't figure out why it's only trying TLSv1.

I'm running openldap 2.6.9 packages from Symas on Debian 12, for what it's worth. 

While I've been working on this I've been using the slapd.conf style config, but would transition to cn=config if it were to go to production.

I've tried configuring the backend server URI with ldap://, ldaps://, pldap://, and pldaps://, all with the same results. My current config follows.

Thanks for any suggestions!

Ben

------- current config -----------------------------------------------
TLSCertificateFile /etc/haproxy/haproxy.pem
TLSCertificateKeyFile /etc/haproxy/haproxy.pem
TLSCACertificatePath /etc/ssl/certs

loglevel stats
#loglevel -1

pidfile /var/symas/run/openldap-lload.pid

allow bind_v2

include /opt/symas/etc/openldap/schema/core.schema

modulepath /opt/symas/lib/openldap

# require at least SSL/TLS for simple binds
security simple_bind=1

moduleload lloadd.la
backend lload

# The Load Balancer manages its own sockets, so they have to be separate
# from the ones slapd manages (as specified with the -h "URLS" option at
# startup).
listen ldaps://:10636

# Enable authorization tracking
feature proxyauthz

# Specify the number of threads to use for the connection manager.  The default is 1 and this is typically adequate for up to 16 CPU cores.
# The value should be set to a power of 2:
io-threads  2

TLSShareSlapdCTX true

# Authentication and other options (timeouts) shared between backends.
bindconf bindmethod=simple
         tls_cacertdir="/etc/ssl/certs"
         binddn=uid=ldap-lb,ou=Services,dc=example,dc=com
         credentials=xxxxxxxxxxxxxxxxxxxxxxxxxxx
         network-timeout=5

tier bestof
backend-server uri=pldaps://backend-slapd-hostname:8636
               retry=5000 max-pending-ops=50 conn-max-pending=10
               numconns=10 bindconns=5

#######################################################################
database        monitor