[389-users] Re: Setting Up 389 DS Nodes for HAProxy Behind F5 Load Balancers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Simon,

I've added 8 different nsslapd-haproxy-trusted-ip entries to all the nodes in my dev cluster (each being a potential upstream loadbalancer/snat pool node - trying to provide for the different envs the nodes might end up being deployed to in actual use), but after restarting dirsrv.target, most of them get removed somehow.  The entries that remain seem to be the loadbalancer nodes healthchecking the dirsrv node.  Does this behaviour sound right to you?

eg:

# ldapsearch -H ldap://localhost  -x -D "cn=Directory Manager" -W -b "cn=config" -s base -a always "(objectClass=*)" nsslapd-haproxy-trusted-ip -LLL
Enter LDAP Password:
dn: cn=config
nsslapd-haproxy-trusted-ip: 10.x.x.1
nsslapd-haproxy-trusted-ip: 10.x.x.2
nsslapd-haproxy-trusted-ip: 10.x.x.3
nsslapd-haproxy-trusted-ip: 10.x.x.14
nsslapd-haproxy-trusted-ip: 10.x.x.11
nsslapd-haproxy-trusted-ip: 10.x.x.15
nsslapd-haproxy-trusted-ip: 10.x.x.13
nsslapd-haproxy-trusted-ip: 10.x.x.12

[root@eldap-s-van-01 log] 16:02:07
# systemctl restart dirsrv.target
[root@eldap-s-van-01 log] 16:02:31
# ldapsearch -H ldap://localhost  -x -D "cn=Directory Manager" -W -b "cn=config" -s base -a always "(objectClass=*)" nsslapd-haproxy-trusted-ip -LLL
Enter LDAP Password:
dn: cn=config
nsslapd-haproxy-trusted-ip: 10.19.170.13
nsslapd-haproxy-trusted-ip: 10.19.170.14

Thanks,
Trev

On Sat, 9 Nov 2024 at 15:57, Trevor Fong <tjfong@xxxxxxxxx> wrote:
Hi Simon,

Thanks for the answer - dsconf worked for me. 
I was trying to add new values of nsslapd-haproxy-trusted-ip using Apache Directory Studio.  It seemed to be behaving idiosyncratically and it didn't seem to be adding them, but rather overwriting the previous value.  But doing an ldapsearch thereafter showed that it was actually being added as a multi-valued attribute, with multiple entries of nsslapd-haproxy-trusted-ip.  I guess ADS works a little funkily for nsslapd-haproxy-trusted-ip?
Going forward, I'll use dsconf to manage this attribute.

Thanks,
Trev

On Sat, 9 Nov 2024 at 08:29, Simon Pichugin <spichugi@xxxxxxxxxx> wrote:
Hi Trevor,
The easiest way will be to use the dsconf command and run the dsconf add a few times (and do separate delete commands if needed).

  dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.1 
  dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.2
  dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.3
  dsconf instance config delete nsslapd-haproxy-trusted-ip=192.168.0.2 
  dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.4

Another way will be to use ldapmodify command and do the modification in the same LDAP transaction:

  dn: cn=config
  changetype: modify
  add: nsslapd-haproxy-trusted-ip
  nsslapd-haproxy-trusted-ip: 192.168.0.1 
  -
  add: nsslapd-haproxy-trusted-ip
  nsslapd-haproxy-trusted-ip: 192.168.0.2
  -
  add: nsslapd-haproxy-trusted-ip
  nsslapd-haproxy-trusted-ip: 192.168.0.3

Sorry if it's a bit inconvenient. We have plans to improve the cn=config handling logic for multivalued attributes.

Regards,
Simon
 

On Fri, Nov 8, 2024 at 3:43 PM Trevor Fong via 389-users <389-users@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
Hi There,

I'm trying to set up 389 DS nodes (2.4.5) for to use the Proxy protocol for HAProxy load-balancing behind F5 load-balancers.  


The Red Hat docs say "the nsslapd-haproxy-trusted-ip attribute configures the list of trusted proxy servers."  I have at least 5 IP's I would need the 389 DS nodes to trust, but nsslapd-haproxy-trusted-ip does not want to accept a CIDR nor does it seem to accept multiple values.  It also doesn't want to accept a comma delimited list of IP's.  

Does anyone know the correct syntax/setup for multiple HAProxy trusted IP's?
Are there any further docs available?

Thanks,
Trev
--
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- 
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux