> On 2 Nov 2017, at 21:56, my.card....@web.de wrote:
>
> Hi all,
>
> the attached patch implements authentication against an LDAP Directory
> Server. It has been tested on Ubuntu 16.04 (x86_64) using libldap-2.4-2 on
> the client side and 389-ds-base 1.3.4.9-1 on the server side. Add USE_LDAP=1
> to your make command line to compile it in.
>
> What do I have to to, to get this functionality integrated within the next
> offcial haproxy release?
>
> I'm currently trying to figure out, how to pass commas ',' and bracket '(',
> ')' as arguments to http_auth_ldap. Do you have any hints for me on this
> topic?
>
> Feedback is very welcome!
Hi, thanks for your patch.
I already tried to add ldap authent in haproxy, but unfortunately the OpenLDAP
library is only available in blocking mode. Unfortunately (again) OpenLDAP
seems to be the only one lib LDAP available. So during the processing of the
sample fetch “http_auth_ldap”, the following functions perform some network
request and block HAProxy.
* ldap_initialize (maybe)
* ldap_simple_bind_s
* ldap_search_ext_s
HAProxy is blocked waiting for LDAP response, so during this time HAProxy no
longer process more HTTP requests. This behavior is not acceptable under heavy
load.
Two way for performing LDAP authent:
* easy: look for SPOE protocol. You just write a mulithread server which
listent HAProxy for SPOE, perform LDAP request and return response. You will
fond an example of a SPOE server in the contrib directory. I gueess that an
SPOE contrib for LDAP authent will be welcome.
* difficult: make you own LDAP payload (very hard with v3 and crypto) and
write a code for using socket like SPOE or Lua cosoket
Best regards,
Thierry
>
> Kind regards,
>
> Danny
> <0001-Simple-LDAP-authentication.patch>
