> On 2 Nov 2017, at 21:56, my.card....@web.de wrote: > > Hi all, > > the attached patch implements authentication against an LDAP Directory > Server. It has been tested on Ubuntu 16.04 (x86_64) using libldap-2.4-2 on > the client side and 389-ds-base 1.3.4.9-1 on the server side. Add USE_LDAP=1 > to your make command line to compile it in. > > What do I have to to, to get this functionality integrated within the next > offcial haproxy release? > > I'm currently trying to figure out, how to pass commas ',' and bracket '(', > ')' as arguments to http_auth_ldap. Do you have any hints for me on this > topic? > > Feedback is very welcome!
Hi, thanks for your patch. I already tried to add ldap authent in haproxy, but unfortunately the OpenLDAP library is only available in blocking mode. Unfortunately (again) OpenLDAP seems to be the only one lib LDAP available. So during the processing of the sample fetch “http_auth_ldap”, the following functions perform some network request and block HAProxy. * ldap_initialize (maybe) * ldap_simple_bind_s * ldap_search_ext_s HAProxy is blocked waiting for LDAP response, so during this time HAProxy no longer process more HTTP requests. This behavior is not acceptable under heavy load. Two way for performing LDAP authent: * easy: look for SPOE protocol. You just write a mulithread server which listent HAProxy for SPOE, perform LDAP request and return response. You will fond an example of a SPOE server in the contrib directory. I gueess that an SPOE contrib for LDAP authent will be welcome. * difficult: make you own LDAP payload (very hard with v3 and crypto) and write a code for using socket like SPOE or Lua cosoket Best regards, Thierry > > Kind regards, > > Danny > <0001-Simple-LDAP-authentication.patch>