On Mon, Dec 04, 2023 at 02:34:57PM +0100, Stefan Kania wrote:
Hello Ondrej,
if I get:
root@loadbalancer01:~# ldapsearch -x -D uid=repl-user,ou=users,dc=example,dc=net -W Enter LDAP Password: ldap_bind: Server is unavailable (52) additional info: no connections available
The log on the loadbalancer is showing:
Dez 04 14:19:33 loadbalancer01 slapd[883]: operation_init: received a new operation, bind request with msgid=1 for client connid=1 Dez 04 14:19:33 loadbalancer01 slapd[883]: request_bind: connid=1, msgid=1 no available connection found Dez 04 14:19:33 loadbalancer01 slapd[883]: operation_init: received a new operation, unbind request with msgid=2 for client connid=1 Dez 04 14:19:33 loadbalancer01 slapd[883]: handle_one_request: received unbind, closing client connid=1
On the ldap-server I see, nothing in the log:
Next thing I did was ldapsearch with "-d 3" and I got: [...]
i first tough it could be some TLS problem but as you see TLS is ok.
Now I checked what I see on the both ldap-servers when restarting slapd, and I see nothing. So no connection is established for the proxy authentication on slapd start.
If I switch to slapd.conf it works fine on both ldap-servers.
Dez 04 14:27:20 provider02 slapd[501]: conn=1047 fd=21 ACCEPT from IP=192.168.56.24:59358 (IP=0.0.0.0:636) Dez 04 14:27:20 provider02 slapd[501]: conn=1047 fd=21 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384 Dez 04 14:27:20 provider02 slapd[501]: conn=1047 op=0 BIND dn="uid=lloadd,ou=users,dc=example,dc=net" method=128 Dez 04 14:27:20 provider02 slapd[501]: conn=1047 op=0 BIND dn="uid=lloadd,ou=users,dc=example,dc=net" mech=SIMPLE bind_ssf=0 ssf=256
There must be something wrong with the bind configuration.
Hi Stefan, are you trying to use the load balancer before it has had a chance to establish its own connections?
Can you provide logs from before you start interacting with lloadd with your client to see whether it's even had a chance to establish them? Loglevel at least 'conns'. lloadd's connection management is not reactive, it has to establish (some) connections to upstreams before anything can be proxied. Until any useable connections exist, every operation that cannot be processed locally will be rejected.
Thanks,