On Mon, Dec 04, 2023 at 02:34:57PM +0100, Stefan Kania wrote: > Hello Ondrej, > > if I get: > -------------- > root@loadbalancer01:~# ldapsearch -x -D > uid=repl-user,ou=users,dc=example,dc=net -W > Enter LDAP Password: > ldap_bind: Server is unavailable (52) > additional info: no connections available > -------------- > > The log on the loadbalancer is showing: > ------------- > Dez 04 14:19:33 loadbalancer01 slapd[883]: operation_init: received a new > operation, bind request with msgid=1 for client connid=1 > Dez 04 14:19:33 loadbalancer01 slapd[883]: request_bind: connid=1, msgid=1 > no available connection found > Dez 04 14:19:33 loadbalancer01 slapd[883]: operation_init: received a new > operation, unbind request with msgid=2 for client connid=1 > Dez 04 14:19:33 loadbalancer01 slapd[883]: handle_one_request: received > unbind, closing client connid=1 > ------------- > > On the ldap-server I see, nothing in the log: > > Next thing I did was ldapsearch with "-d 3" and I got: > [...] > > i first tough it could be some TLS problem but as you see TLS is ok. > > Now I checked what I see on the both ldap-servers when restarting slapd, and > I see nothing. So no connection is established for the proxy authentication > on slapd start. > > If I switch to slapd.conf it works fine on both ldap-servers. > ------------- > Dez 04 14:27:20 provider02 slapd[501]: conn=1047 fd=21 ACCEPT from > IP=192.168.56.24:59358 (IP=0.0.0.0:636) > Dez 04 14:27:20 provider02 slapd[501]: conn=1047 fd=21 TLS established > tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384 > Dez 04 14:27:20 provider02 slapd[501]: conn=1047 op=0 BIND > dn="uid=lloadd,ou=users,dc=example,dc=net" method=128 > Dez 04 14:27:20 provider02 slapd[501]: conn=1047 op=0 BIND > dn="uid=lloadd,ou=users,dc=example,dc=net" mech=SIMPLE bind_ssf=0 ssf=256 > ------------- > There must be something wrong with the bind configuration.
Hi Stefan, are you trying to use the load balancer before it has had a chance to establish its own connections? Can you provide logs from before you start interacting with lloadd with your client to see whether it's even had a chance to establish them? Loglevel at least 'conns'. lloadd's connection management is not reactive, it has to establish (some) connections to upstreams before anything can be proxied. Until any useable connections exist, every operation that cannot be processed locally will be rejected. Thanks, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
