Use HAProxy and OpenLDAP with proxy protocol¶

HAProxy is a famous TCP/HTTP proxy and balancer that can be used in front of OpenLDAP for high availability purpose.

One of the caveats of this setup is that the IP address written in OpenLDAP logs is the one of the HAProxy server, and not the one of the LDAP client.

But since OpenLDAP 2.5, you can enable the proxy protocol (pldap:// and pldaps://) and get the real IP in OpenLDAP logs.

Proxy protocol in OpenLDAP¶

OpenLDAP must listen on additional ports for LDAP and LDAPS with proxy protocol enabled.

With OpenLDAP LTB packages, just configure slapd-cli:

vi /usr/local/openldap/etc/openldap/slapd-cli.conf

PIP="*"
PPORT="8389"
PSSLIP="*"
PSSLPORT="8636"

SLAPD_SERVICES="ldap://$IP:$PORT ldaps://$SSLIP:$SSLPORT ldapi://$LDAPI_SOCKETURL pldap://$PIP:$PPORT pldaps://$PSSLIP:$PSSLPORT"

Then restart OpenLDAP:

slapd-cli restart

Proxy protocol in HAProxy¶

A standard HAProxy configuration as OpenLDAP loadbalancer should be like:

frontend openldap
     bind *:389
     default_backend openldap_servers

 backend openldap_servers
     balance roundrobin
     server openldap1 openldap1:389 check
     server openldap2 openldap2:389 check

 frontend openldap_ssl
     bind *:636
     default_backend openldap_servers_ssl

 backend openldap_servers_ssl
     balance roundrobin
     server openldap1 openldap1:636 check check-ssl ca-file /etc/ssl/certs/CA.crt
     server openldap2 openldap2:636 check check-ssl ca-file /etc/ssl/certs/CA.crt

The only change needed is to send the proxy v2 protocol to backend servers (send-proxy-v2) and use the corresponding proxy ports (8369 and 8636):

frontend openldap
     bind *:389
     default_backend openldap_servers

 backend openldap_servers
     balance roundrobin
     server openldap1 openldap1:8389 check send-proxy-v2
     server openldap2 openldap2:8389 check send-proxy-v2

 frontend openldap_ssl
     bind *:636
     default_backend openldap_servers_ssl

 backend openldap_servers_ssl
     balance roundrobin
     server openldap1 openldap1:8636 check send-proxy-v2 check-ssl ca-file /etc/ssl/certs/CA.crt
     server openldap2 openldap2:8636 check send-proxy-v2 check-ssl ca-file /etc/ssl/certs/CA.crt

Restart HAProxy:

systemctl restart haproxy

Logs¶

Now in OpenLDAP logs, you should see the real client IP:

proxyp(17): via IP=10.10.10.10:12345
conn=1000 fd=17 ACCEPT from IP=192.168.1.1:23456 (IP=0.0.0.0:8389)
conn=1000 op=0 BIND dn="" method=128
conn=1000 op=0 RESULT tag=97 err=0 qtime=0.000034 etime=0.000150 text=
conn=1000 fd=17 closed