Hello,
We use the proxy protocol with our openldap 2.5 servers (pldaps). I noticed that client binaries allow pldaps as protocol in the host address option starting with 2.5, but how can I add proxy headers to the request to communicate with my servers ?
I think that there might be something with '-o' that I'm not aware of.
Thanks for your help. Jerome
On Mon, Jun 30, 2025 at 01:36:35PM +0000, BECOT Jérôme wrote:
Hello,
We use the proxy protocol with our openldap 2.5 servers (pldaps). I noticed that client binaries allow pldaps as protocol in the host address option starting with 2.5, but how can I add proxy headers to the request to communicate with my servers ?
I think that there might be something with '-o' that I'm not aware of.
Hi Jérôme, the PROXY protocol is for a (trusted) proxy to indicate that a request has come from a different address. The command line clients do nothing of the sort so they won't and can't send the preamble to the server. A server should (also) listen on a non-pldap socket if clients are supposed to be able to talk to it directly.
Regards,
Le 02/07/2025 à 14:40, Ondřej Kuzník a écrit :
On Mon, Jun 30, 2025 at 01:36:35PM +0000, BECOT Jérôme wrote:
Hello,
We use the proxy protocol with our openldap 2.5 servers (pldaps). I noticed that client binaries allow pldaps as protocol in the host address option starting with 2.5, but how can I add proxy headers to the request to communicate with my servers ?
I think that there might be something with '-o' that I'm not aware of.
Hi Jérôme, the PROXY protocol is for a (trusted) proxy to indicate that a request has come from a different address. The command line clients do nothing of the sort so they won't and can't send the preamble to the server. A server should (also) listen on a non-pldap socket if clients are supposed to be able to talk to it directly.
Hello,
if that helps, here is a doc on how configure HAProxy and OpenLDAP: https://ltb-project.org/documentation/haproxy_openldap_proxy_protocol.html
Hello,
I thank you for both your answer. OpenLDAP and Haproxy are up and running at the moment. However OpenLDAP servers are configured to run only pldaps and ldapi.
We are thinking about performance test strategies and we would like to run test that bypass the proxies as well. Either we have to find a tool that supports pldap (but that's unlikely to happen) or bind to a classic LDAPS port (that would require firewall port opening).
I wondered about ldapsearch as 2.4 says "pldaps scheme unknown" whereas 2.5 directly throw a "can't contact server" (therefore finding a "missing proxy header" message on the server's log). I could imagine it could. ________________________________ De : Clément OUDOT clement.oudot@worteks.com Envoyé : mercredi 2 juillet 2025 16:12 À : openldap-technical@openldap.org openldap-technical@openldap.org Objet : Re: Proxy Protocol support for ldap client
[You don't often get email from clement.oudot@worteks.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
ATTENTION : Cet e-mail provient de l'extérieur de l'organisation. Ne cliquez pas sur les liens et n'ouvrez pas les pièces jointes à moins que vous ne reconnaissiez l'expéditeur et que vous sachiez que le contenu est sûr.
Le 02/07/2025 à 14:40, Ondřej Kuzník a écrit :
On Mon, Jun 30, 2025 at 01:36:35PM +0000, BECOT Jérôme wrote:
Hello,
We use the proxy protocol with our openldap 2.5 servers (pldaps). I noticed that client binaries allow pldaps as protocol in the host address option starting with 2.5, but how can I add proxy headers to the request to communicate with my servers ?
I think that there might be something with '-o' that I'm not aware of.
Hi Jérôme, the PROXY protocol is for a (trusted) proxy to indicate that a request has come from a different address. The command line clients do nothing of the sort so they won't and can't send the preamble to the server. A server should (also) listen on a non-pldap socket if clients are supposed to be able to talk to it directly.
Hello,
if that helps, here is a doc on how configure HAProxy and OpenLDAP: https://ltb-project.org/documentation/haproxy_openldap_proxy_protocol.html
-- Clément Oudot | Identity Solutions Manager
Worteks | https://www.worteks.com
openldap-technical@openldap.org
-
BECOT Jérôme -
Clément OUDOT -
Ondřej Kuzník