Hi Willy.
>> Have the client the CA Certificates from the LDAPS server?
> No, it haven't
This could be the issue as the Client must be able to verify the Server CA. Try
to add the Server CA Chain into the Client and try the connection again.
If there is an option in the client that the client don't need to verify the CA
can you also try to activate this option, but only for testing.
As the Config looks right, the CA issue could be the reason of the TLS
connection issue.
```
[snip]
frontend Front_ROR_LDAPS
mode tcp
[snip]
```
Best Regards
Alex
On 2024-02-16 (Fr.) 06:08, TINK-LONG-KI Willy wrote:
Hi Aleksandar,
Thank you so much for your reply and your help, you will find in attached the
config file of the HAPROXY and below in red information requested.
Thank you so much for your help.
Kind regards,
Willy
--------------------------------------------------------------------------------
*De :* Aleksandar Lazic <al-hapr...@none.at>
*Envoyé :* jeudi 15 février 2024 15:20
*À :* TINK-LONG-KI Willy <willy.tink-long...@nxo.eu>
*Cc :* haproxy@formilux.org <haproxy@formilux.org>
*Objet :* Re: Haproxy accross LDAPS
Hi Willy.
On 2024-02-15 (Do.) 09:07, TINK-LONG-KI Willy wrote:
Hello All,
I trying to configure a backend on a HAPROXY (release 2.4.25) with LDAPS in
order to authenticate user by the LDAPS.
Any chance to use the latest 2.8 or 2.9?
Below informations about my configuration :
-Port use on the backend : 636
-Mode use on the backend : tcp
-SSL certifcate installed on the LDAPS server.
Do you know if that is possible please ?
When I try to connect to HAPROXY from internet I get this error message :
ERR_04120_TLS_HANDSHAKE_ERROR The TLS handshake failed, reason: Unspecified:
Improper close state: Status = OK HandshakeStatus = NEED_WRAP
bytesConsumed = 0 bytesProduced = 7 sequenceNumber = 1
This is not a HAProxy error message.
Please can you share the config with minimal config and no sensitive
information's.
The TCP Mode works quite well with TLS forwarding but this requires that the
target server, the ldap server, must handle the TLS Handshake.
You can see this in that picture
https://m365.eu.vadesecure.com/safeproxy/v4?f=JQRJ_Uz5yPCPp-B6jOmbT575xVwxzFR44U-b0s6PemPO4mDgKfLfB3kq-4D47NVm&i=Ph3ZFuCUnHz1u8PINUtpSMadyd9FOmq8P5_kNBq-bbA_U3hPACK9z-ehvOagSwWHw2smwqsWbV_73guivXKYtw&k=l4gg&r=r_32UO2JEjC-krA16kbYLUhau70siOrxbqxGsC5k7kqrKn8IyTgrtY0CQu8w3sw8&s=f05ca09bc48042d6f9dfa24716ed17b84e26ec2bc0812ff96fa01f78c60d720f&u=https%3A%2F%2Fwww.me2digital.com%2Fblog%2F2019%2F05%2Fhaproxy-sni-routing%2F
<https://m365.eu.vadesecure.com/safeproxy/v4?f=JQRJ_Uz5yPCPp-B6jOmbT575xVwxzFR44U-b0s6PemPO4mDgKfLfB3kq-4D47NVm&i=Ph3ZFuCUnHz1u8PINUtpSMadyd9FOmq8P5_kNBq-bbA_U3hPACK9z-ehvOagSwWHw2smwqsWbV_73guivXKYtw&k=l4gg&r=r_32UO2JEjC-krA16kbYLUhau70siOrxbqxGsC5k7kqrKn8IyTgrtY0CQu8w3sw8&s=f05ca09bc48042d6f9dfa24716ed17b84e26ec2bc0812ff96fa01f78c60d720f&u=https%3A%2F%2Fwww.me2digital.com%2Fblog%2F2019%2F05%2Fhaproxy-sni-routing%2F>
Is the LDAP Server configured for LDAPS?
Yes the ldap server is configured as a LDAPS with a SSL certificate
Have the client the CA Certificates from the LDAPS server?
No, it haven't
What's your ldap client config?
I use LDAP Apache Directory Studio, the configuration is very simple I set
information below in configuration :
IP address of HAPROXY, the listen port and credentials
Thank you for your help.
Kind Regards,
Willy
Regards
Alex
