Hi Trevor, Okay, I see... It's the multi-valued config bug, and it actually affected the `dsconf config add`.
So, as of now, you need to use *ldapmodify *command and do the modification in the same LDAP transaction: dn: cn=config changetype: modify add: nsslapd-haproxy-trusted-ip nsslapd-haproxy-trusted-ip: 192.168.0.1 - add: nsslapd-haproxy-trusted-ip nsslapd-haproxy-trusted-ip: 192.168.0.2 - add: nsslapd-haproxy-trusted-ip nsslapd-haproxy-trusted-ip: 192.168.0.3 This way, it will persist after the restart. We'll be working on the fix in the meantime. Regards, Simon On Sat, Nov 9, 2024 at 4:04 PM Trevor Fong <[email protected]> wrote: > Hi Simon, > > I've added 8 different nsslapd-haproxy-trusted-ip entries to all the nodes > in my dev cluster (each being a potential upstream loadbalancer/snat pool > node - trying to provide for the different envs the nodes might end up > being deployed to in actual use), but after restarting dirsrv.target, most > of them get removed somehow. The entries that remain seem to be the > loadbalancer nodes healthchecking the dirsrv node. Does this behaviour > sound right to you? > > eg: > > # ldapsearch -H ldap://localhost -x -D "cn=Directory Manager" -W -b > "cn=config" -s base -a always "(objectClass=*)" nsslapd-haproxy-trusted-ip > -LLL > Enter LDAP Password: > dn: cn=config > nsslapd-haproxy-trusted-ip: 10.x.x.1 > nsslapd-haproxy-trusted-ip: 10.x.x.2 > nsslapd-haproxy-trusted-ip: 10.x.x.3 > nsslapd-haproxy-trusted-ip: 10.x.x.14 > nsslapd-haproxy-trusted-ip: 10.x.x.11 > nsslapd-haproxy-trusted-ip: 10.x.x.15 > nsslapd-haproxy-trusted-ip: 10.x.x.13 > nsslapd-haproxy-trusted-ip: 10.x.x.12 > > [root@eldap-s-van-01 log] 16:02:07 > # systemctl restart dirsrv.target > [root@eldap-s-van-01 log] 16:02:31 > # ldapsearch -H ldap://localhost -x -D "cn=Directory Manager" -W -b > "cn=config" -s base -a always "(objectClass=*)" nsslapd-haproxy-trusted-ip > -LLL > Enter LDAP Password: > dn: cn=config > nsslapd-haproxy-trusted-ip: 10.19.170.13 > nsslapd-haproxy-trusted-ip: 10.19.170.14 > > Thanks, > Trev > > On Sat, 9 Nov 2024 at 15:57, Trevor Fong <[email protected]> wrote: > >> Hi Simon, >> >> Thanks for the answer - dsconf worked for me. >> I was trying to add new values of nsslapd-haproxy-trusted-ip using Apache >> Directory Studio. It seemed to be behaving idiosyncratically and it didn't >> seem to be adding them, but rather overwriting the previous value. But >> doing an ldapsearch thereafter showed that it was actually being added as a >> multi-valued attribute, with multiple entries of >> nsslapd-haproxy-trusted-ip. I guess ADS works a little funkily >> for nsslapd-haproxy-trusted-ip? >> Going forward, I'll use dsconf to manage this attribute. >> >> Thanks, >> Trev >> >> On Sat, 9 Nov 2024 at 08:29, Simon Pichugin <[email protected]> wrote: >> >>> Hi Trevor, >>> The easiest way will be to use the *dsconf *command and run the *dsconf >>> add* a few times (and do separate delete commands if needed). >>> >>> dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.1 >>> dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.2 >>> dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.3 >>> dsconf instance config delete nsslapd-haproxy-trusted-ip=192.168.0.2 >>> dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.4 >>> >>> Another way will be to use *ldapmodify *command and do the modification >>> in the same LDAP transaction: >>> >>> dn: cn=config >>> changetype: modify >>> add: nsslapd-haproxy-trusted-ip >>> nsslapd-haproxy-trusted-ip: 192.168.0.1 >>> - >>> add: nsslapd-haproxy-trusted-ip >>> nsslapd-haproxy-trusted-ip: 192.168.0.2 >>> - >>> add: nsslapd-haproxy-trusted-ip >>> nsslapd-haproxy-trusted-ip: 192.168.0.3 >>> >>> Sorry if it's a bit inconvenient. We have plans to improve the cn=config >>> handling logic for multivalued attributes. >>> >>> Regards, >>> Simon >>> >>> >>> On Fri, Nov 8, 2024 at 3:43 PM Trevor Fong via 389-users < >>> [email protected]> wrote: >>> >>>> Hi There, >>>> >>>> I'm trying to set up 389 DS nodes (2.4.5) for to use the Proxy protocol >>>> for HAProxy load-balancing behind F5 load-balancers. >>>> >>>> I've been following >>>> https://www.port389.org/docs/389ds/howto/howto-test-haproxy-ldaps.html >>>> and >>>> >>>> https://docs.redhat.com/en/documentation/red_hat_directory_server/12/html/configuration_and_schema_reference/assembly_core-server-configuration-attributes_config-schema-reference-title#nsslapd-haproxy-trusted-ip_assembly_cn-config >>>> . >>>> >>>> The Red Hat docs say "the nsslapd-haproxy-trusted-ip attribute >>>> configures the list of trusted proxy servers." I have at least 5 IP's I >>>> would need the 389 DS nodes to trust, but nsslapd-haproxy-trusted-ip does >>>> not want to accept a CIDR nor does it seem to accept multiple values. It >>>> also doesn't want to accept a comma delimited list of IP's. >>>> >>>> Does anyone know the correct syntax/setup for multiple HAProxy trusted >>>> IP's? >>>> Are there any further docs available? >>>> >>>> Thanks, >>>> Trev >>>> -- >>>> _______________________________________________ >>>> 389-users mailing list -- [email protected] >>>> To unsubscribe send an email to [email protected] >>>> Fedora Code of Conduct: >>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedoraproject.org/archives/list/[email protected] >>>> Do not reply to spam, report it: >>>> https://pagure.io/fedora-infrastructure/new_issue >>>> >>>
-- _______________________________________________ 389-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
