you should believe it :)
On Mon, Mar 30, 2015 at 11:34 PM, Neil - HAProxy List
<maillist-hapr...@iamafreeman.com> wrote:
> Hello
>
> Thanks so much. That worked well, I now get
> L7OK/0 in 0ms
> not sure I believe the 0ms but maybe I should
>
> Thanks again,
>
> Neil
>
> On 30 March 2015 at 22:14, Baptiste <bed...@gmail.com> wrote:
>>
>> On Mon, Mar 30, 2015 at 10:33 PM, Neil - HAProxy List
>> <maillist-hapr...@iamafreeman.com> wrote:
>> > Hello
>> >
>> > I'm trying to use ldap-check with active directory and the response
>> > active
>> > directory gives is not one ldap-check is happy to accept
>> >
>> > when I give a 389 directory backend ldap server all is well, when I use
>> > AD I
>> > get 'Not LDAPv3 protocol'
>> >
>> > I've done a little poking about and found that
>> > if ((msglen > 2) ||
>> > (memcmp(check->bi->data + 2 + msglen,
>> > "\x02\x01\x01\x61", 4) != 0)) {
>> > set_server_check_status(check,
>> > HCHK_STATUS_L7RSP, "Not LDAPv3 protocol");
>> > is where I'm getting stopped as msglen is 4
>> >
>> > Here is tcpdump of 389 directory response (the one that works) 2 packets
>> > 21:29:34.195699 IP 389.ldap > HAPROXY.57109: Flags [.], ack 15, win 905,
>> > options [nop,nop,TS val 856711882 ecr 20393440], length 0
>> > 0x0000: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@;'...E.
>> > 0x0010: 0034 9d07 4000 3f06 3523 ac1b e955 ac18 .4..@.?.5#...U..
>> > 0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8010 (.....\...c.w...
>> > 0x0030: 0389 2c07 0000 0101 080a 3310 62ca 0137 ..,.......3.b..7
>> > 0x0040: 2de0 -.
>> > 21:29:34.195958 IP 389.ldap > HAPROXY.57109: Flags [P.], seq 1:15, ack
>> > 15,
>> > win 905, options [nop,nop,TS val 856711882 ecr 20393440], length 14
>> > 0x0000: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@;'...E.
>> > 0x0010: 0042 9d08 4000 3f06 3514 ac1b e955 ac18 .B..@.?.5....U..
>> > 0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8018 (.....\...c.w...
>> > 0x0030: 0389 e878 0000 0101 080a 3310 62ca 0137 ...x......3.b..7
>> > 0x0040: 2de0 300c 0201 0161 070a 0100 0400 0400 -.0....a........
>> >
>> > Here is tcpdump of active directory (broken) 1 packet
>> >
>> > 21:25:24.519883 IP ADSERVER.ldap > HAPROXY.57789: Flags [P.], seq 1:23,
>> > ack
>> > 15, win 260, options [nop,nop,TS val 1870785 ecr 20331021], length 22
>> > 0x0000: 0050 5688 7042 0050 5688 7780 0800 4500 .PV.pB.PV.w...E.
>> > 0x0010: 004a 1d7d 4000 8006 34e3 ac18 280d ac18 .J.}@...4...(...
>> > 0x0020: 2810 0185 e1bd 5a3f 2ae7 3ced 7b5b 8018 (.....Z?*.<.{[..
>> > 0x0030: 0104 1d7a 0000 0101 080a 001c 8bc1 0136 ...z...........6
>> > 0x0040: 3a0d 3084 0000 0010 0201 0161 8400 0000 :.0........a....
>> > 0x0050: 070a 0100 0400 0400
>> >
>> > this was discussed but not finished before see
>> > http://www.serverphorums.com/read.php?10,394453
>> >
>> > I can see the string \02\01\01\61 is there but not in the correct place
>> >
>> > Anyone have any ideas about fixing this so that both (and possibly
>> > other)
>> > ldap implementations work?
>> >
>> > Thanks,
>> >
>> > Neil
>>
>>
>> Hi Neil
>>
>> Yes you can switch to the tcp-check checking method.
>> I works with binary protocols as well.
>> Here is what I use for the AD in my lab:
>>
>> option tcp-check
>> tcp-check connect port 389
>> tcp-check send-binary 300c0201 # LDAP bind request "<ROOT>" simple
>> tcp-check send-binary 01 # message ID
>> tcp-check send-binary 6007 # protocol Op
>> tcp-check send-binary 0201 # bind request
>> tcp-check send-binary 03 # LDAP v3
>> tcp-check send-binary 04008000 # name, simple authentication
>> tcp-check expect binary 0a0100 # bind response + result code: success
>> tcp-check send-binary 30050201034200 # unbind request
>>
>>
>> You could add the same sequence for LDAPs on port 636:
>> tcp-check connect port 636 ssl
>> tcp-check send-binary 300c0201 # LDAP bind request "<ROOT>" simple
>> tcp-check send-binary 01 # message ID
>> tcp-check send-binary 6007 # protocol Op
>> tcp-check send-binary 0201 # bind request
>> tcp-check send-binary 03 # LDAP v3
>> tcp-check send-binary 04008000 # name, simple authentication
>> tcp-check expect binary 0a0100 # bind response + result code: success
>> tcp-check send-binary 30050201034200 # unbind request
>>
>>
>> Note for myself: put this tip on the blog..
>>
>> Baptiste
>
>
