Hello Thanks so much. That worked well, I now get
*L7OK/0 in 0ms* not sure I believe the 0ms but maybe I should Thanks again, Neil On 30 March 2015 at 22:14, Baptiste <bed...@gmail.com> wrote: > On Mon, Mar 30, 2015 at 10:33 PM, Neil - HAProxy List > <maillist-hapr...@iamafreeman.com> wrote: > > Hello > > > > I'm trying to use ldap-check with active directory and the response > active > > directory gives is not one ldap-check is happy to accept > > > > when I give a 389 directory backend ldap server all is well, when I use > AD I > > get 'Not LDAPv3 protocol' > > > > I've done a little poking about and found that > > if ((msglen > 2) || > > (memcmp(check->bi->data + 2 + msglen, > > "\x02\x01\x01\x61", 4) != 0)) { > > set_server_check_status(check, > > HCHK_STATUS_L7RSP, "Not LDAPv3 protocol"); > > is where I'm getting stopped as msglen is 4 > > > > Here is tcpdump of 389 directory response (the one that works) 2 packets > > 21:29:34.195699 IP 389.ldap > HAPROXY.57109: Flags [.], ack 15, win 905, > > options [nop,nop,TS val 856711882 ecr 20393440], length 0 > > 0x0000: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@;'...E. > > 0x0010: 0034 9d07 4000 3f06 3523 ac1b e955 ac18 .4..@.?.5#...U.. > > 0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8010 (.....\...c.w... > > 0x0030: 0389 2c07 0000 0101 080a 3310 62ca 0137 ..,.......3.b..7 > > 0x0040: 2de0 -. > > 21:29:34.195958 IP 389.ldap > HAPROXY.57109: Flags [P.], seq 1:15, ack > 15, > > win 905, options [nop,nop,TS val 856711882 ecr 20393440], length 14 > > 0x0000: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@;'...E. > > 0x0010: 0042 9d08 4000 3f06 3514 ac1b e955 ac18 .B..@.?.5....U.. > > 0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8018 (.....\...c.w... > > 0x0030: 0389 e878 0000 0101 080a 3310 62ca 0137 ...x......3.b..7 > > 0x0040: 2de0 300c 0201 0161 070a 0100 0400 0400 -.0....a........ > > > > Here is tcpdump of active directory (broken) 1 packet > > > > 21:25:24.519883 IP ADSERVER.ldap > HAPROXY.57789: Flags [P.], seq 1:23, > ack > > 15, win 260, options [nop,nop,TS val 1870785 ecr 20331021], length 22 > > 0x0000: 0050 5688 7042 0050 5688 7780 0800 4500 .PV.pB.PV.w...E. > > 0x0010: 004a 1d7d 4000 8006 34e3 ac18 280d ac18 .J.}@...4...(... > > 0x0020: 2810 0185 e1bd 5a3f 2ae7 3ced 7b5b 8018 (.....Z?*.<.{[.. > > 0x0030: 0104 1d7a 0000 0101 080a 001c 8bc1 0136 ...z...........6 > > 0x0040: 3a0d 3084 0000 0010 0201 0161 8400 0000 :.0........a.... > > 0x0050: 070a 0100 0400 0400 > > > > this was discussed but not finished before see > > http://www.serverphorums.com/read.php?10,394453 > > > > I can see the string \02\01\01\61 is there but not in the correct place > > > > Anyone have any ideas about fixing this so that both (and possibly other) > > ldap implementations work? > > > > Thanks, > > > > Neil > > > Hi Neil > > Yes you can switch to the tcp-check checking method. > I works with binary protocols as well. > Here is what I use for the AD in my lab: > > option tcp-check > tcp-check connect port 389 > tcp-check send-binary 300c0201 # LDAP bind request "<ROOT>" simple > tcp-check send-binary 01 # message ID > tcp-check send-binary 6007 # protocol Op > tcp-check send-binary 0201 # bind request > tcp-check send-binary 03 # LDAP v3 > tcp-check send-binary 04008000 # name, simple authentication > tcp-check expect binary 0a0100 # bind response + result code: success > tcp-check send-binary 30050201034200 # unbind request > > > You could add the same sequence for LDAPs on port 636: > tcp-check connect port 636 ssl > tcp-check send-binary 300c0201 # LDAP bind request "<ROOT>" simple > tcp-check send-binary 01 # message ID > tcp-check send-binary 6007 # protocol Op > tcp-check send-binary 0201 # bind request > tcp-check send-binary 03 # LDAP v3 > tcp-check send-binary 04008000 # name, simple authentication > tcp-check expect binary 0a0100 # bind response + result code: success > tcp-check send-binary 30050201034200 # unbind request > > > Note for myself: put this tip on the blog.. > > Baptiste >