List members,
i am running 3 OpenLDAP servers in a multi-provider replication setup,
with HAProxy load balancing access to the service. i want to implement
proxy-protocol, in order to see the client IP, not just the load
balancers Source NAT. there are some hang ups i found when i tried this
and i'm wondering if there is an easier way, or if i have all the places
where config changes are needed.
to start, i modified the startup configs so the "-h" parameter was
"pldap://host.domain.tld". then i changed the olcServerID entries in
cn=config to match. next i changed the olcSyncRepl entries to include
"provider=pldap://host.domain.tld". then i made the changes to the
HAProxy service and restarted everything.
what i found was the replication failed, as the ldap instances were not
sending the proxy-protocol headers to each other when attempting to
initiate connections for replication. they replicate directly between
each other and do not talk to the load balancer for replication. i may
or may not have to change the "provider" string in the olcSyncRepl
configs (i would like to confirm if this is needed or not), but
ultimately the instances don't send the proxy-protocol headers so
replication connections do not establish, and replication does not occur.
as the servers stand, they only listen on one interface and all
communication happens on this interface. the client connections coming
from HAProxy, as well as replication connections all go in/out this one
interface. is there a hack that can allow pldap:// and ldap://
listeners to exist on the same interface? if not, would i need to add
some different interface for replication? the startup configs would
then have "-h pldap://host.domain.tld ldap://host-repl.domain.tld". the
olcServerID entries would be "ldap://host-repl.domain.tld";, and the
olcSyncRepl entries would be "provider=ldap://host-repl-domain.tld";.
are there any tips or tricks about doing this a different way? if not,
do i have all the places that config changes are needed, to get this
working correctly?
thanks in advance,
brendan kearney
