On Tue, Feb 04, 2025 at 11:12:57AM -0800, Ben Poliakoff wrote: > I've successfully set up haproxy with current openldap slapd backend > instances, the ldap client IP is passed on to my slapd instances, and > things like IP based ACLs work. > > But now I'm exploring and comparing the features of the OpenLDAP > lloadd backend. I've been using the embedded version, loading lloadd.a into > slapd and I've been using the example configs from > https://www.openldap.org/doc/admin26/loadbalancer.html as a starting point. > > I'm consistently seeing these errors on the backend slapd: > > Feb 4 10:45:33 test local4.debug slapd[508415]: proxyp(19): invalid header > signature > Feb 4 10:45:33 test local4.debug slapd[508415]: slapd(19): proxyp failed > > And on the frontend slapd (running lload) I'm seeing these sorts of errors: > > Feb 4 10:48:12 slapd-lb-a local4.debug slapd[271207]: operation_init: > received a new operation, bind request with msgid=1 for client connid=6 > Feb 4 10:48:12 slapd-lb-a local4.debug slapd[271207]: request_bind: > connid=6, msgid=1 no available connection found
Hi Ben, the load balancer doesn't proxy a single client connection to a single backend, it chooses a connection to use for each request separately so it can't pass a proxy protocol header to the backend[0]. It still supports pldap(s):// on the listening side but there is little it can do with the information it received (apart from logging it). > When I compare the traffic between slapd w/lload and the backend slapd with > traffic between haproxy and the same backend slapd, the main thing that I > notice is that the slapd w/lload is doing a TLSv1 client hello whereas > haproxy is doing a TLSv1.3 client hello. > > Is it possible that the lloadd code doesn't support TLSv1.3? I'd be > surprised if that were the case, since the same slapd happily > supports client connections with TLSv1.3, but I can't figure out why it's > only trying TLSv1. I'm not aware of lloadd being unable to establish a TLSv1.3 connection, is this unrelated to the other configuration above? [0]. Also these connections are established completely independently so there are often no clients around when that happens... Regards, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
