List members,
i am running 3 OpenLDAP servers in a multi-provider replication setup, with HAProxy load balancing access to the service. i want to implement proxy-protocol, in order to see the client IP, not just the load balancers Source NAT. there are some hang ups i found when i tried this and i'm wondering if there is an easier way, or if i have all the places where config changes are needed.
to start, i modified the startup configs so the "-h" parameter was "pldap://host.domain.tld". then i changed the olcServerID entries in cn=config to match. next i changed the olcSyncRepl entries to include "provider=pldap://host.domain.tld". then i made the changes to the HAProxy service and restarted everything.
what i found was the replication failed, as the ldap instances were not sending the proxy-protocol headers to each other when attempting to initiate connections for replication. they replicate directly between each other and do not talk to the load balancer for replication. i may or may not have to change the "provider" string in the olcSyncRepl configs (i would like to confirm if this is needed or not), but ultimately the instances don't send the proxy-protocol headers so replication connections do not establish, and replication does not occur.
as the servers stand, they only listen on one interface and all communication happens on this interface. the client connections coming from HAProxy, as well as replication connections all go in/out this one interface. is there a hack that can allow pldap:// and ldap:// listeners to exist on the same interface? if not, would i need to add some different interface for replication? the startup configs would then have "-h pldap://host.domain.tld ldap://host-repl.domain.tld". the olcServerID entries would be "ldap://host-repl.domain.tld", and the olcSyncRepl entries would be "provider=ldap://host-repl-domain.tld".
are there any tips or tricks about doing this a different way? if not, do i have all the places that config changes are needed, to get this working correctly?
thanks in advance,
brendan kearney
Le 09/10/2025 à 17:49, Brendan Kearney a écrit :
List members,
i am running 3 OpenLDAP servers in a multi-provider replication setup, with HAProxy load balancing access to the service. i want to implement proxy-protocol, in order to see the client IP, not just the load balancers Source NAT. there are some hang ups i found when i tried this and i'm wondering if there is an easier way, or if i have all the places where config changes are needed.
to start, i modified the startup configs so the "-h" parameter was "pldap://host.domain.tld". then i changed the olcServerID entries in cn=config to match. next i changed the olcSyncRepl entries to include "provider=pldap://host.domain.tld". then i made the changes to the HAProxy service and restarted everything.
what i found was the replication failed, as the ldap instances were not sending the proxy-protocol headers to each other when attempting to initiate connections for replication. they replicate directly between each other and do not talk to the load balancer for replication. i may or may not have to change the "provider" string in the olcSyncRepl configs (i would like to confirm if this is needed or not), but ultimately the instances don't send the proxy-protocol headers so replication connections do not establish, and replication does not occur.
as the servers stand, they only listen on one interface and all communication happens on this interface. the client connections coming from HAProxy, as well as replication connections all go in/out this one interface. is there a hack that can allow pldap:// and ldap:// listeners to exist on the same interface? if not, would i need to add some different interface for replication? the startup configs would then have "-h pldap://host.domain.tld ldap://host-repl.domain.tld". the olcServerID entries would be "ldap://host-repl.domain.tld", and the olcSyncRepl entries would be "provider=ldap://host-repl-domain.tld".
are there any tips or tricks about doing this a different way? if not, do i have all the places that config changes are needed, to get this working correctly?
You need to set different ports for the pldap:// adresses.
See LTB documentation: https://ltb-project.org/documentation/haproxy_openldap_proxy_protocol.html
On 10/9/25 12:55 PM, Clément OUDOT wrote:
Le 09/10/2025 à 17:49, Brendan Kearney a écrit :
List members,
i am running 3 OpenLDAP servers in a multi-provider replication setup, with HAProxy load balancing access to the service. i want to implement proxy-protocol, in order to see the client IP, not just the load balancers Source NAT. there are some hang ups i found when i tried this and i'm wondering if there is an easier way, or if i have all the places where config changes are needed.
to start, i modified the startup configs so the "-h" parameter was "pldap://host.domain.tld". then i changed the olcServerID entries in cn=config to match. next i changed the olcSyncRepl entries to include "provider=pldap://host.domain.tld". then i made the changes to the HAProxy service and restarted everything.
what i found was the replication failed, as the ldap instances were not sending the proxy-protocol headers to each other when attempting to initiate connections for replication. they replicate directly between each other and do not talk to the load balancer for replication. i may or may not have to change the "provider" string in the olcSyncRepl configs (i would like to confirm if this is needed or not), but ultimately the instances don't send the proxy-protocol headers so replication connections do not establish, and replication does not occur.
as the servers stand, they only listen on one interface and all communication happens on this interface. the client connections coming from HAProxy, as well as replication connections all go in/out this one interface. is there a hack that can allow pldap:// and ldap:// listeners to exist on the same interface? if not, would i need to add some different interface for replication? the startup configs would then have "-h pldap://host.domain.tld ldap://host-repl.domain.tld". the olcServerID entries would be "ldap://host-repl.domain.tld", and the olcSyncRepl entries would be "provider=ldap://host-repl-domain.tld".
are there any tips or tricks about doing this a different way? if not, do i have all the places that config changes are needed, to get this working correctly?
You need to set different ports for the pldap:// adresses.
See LTB documentation: https://ltb-project.org/documentation/haproxy_openldap_proxy_protocol.html
That was easy. Way easier than i was making it out be. Thanks for the help.
brendan kearney
openldap-technical@openldap.org
-
Brendan Kearney -
Clément OUDOT