Hi There,
I'm trying to set up 389 DS nodes (2.4.5) for to use the Proxy protocol for HAProxy load-balancing behind F5 load-balancers.
I've been following https://www.port389.org/docs/389ds/howto/howto-test-haproxy-ldaps.html and https://docs.redhat.com/en/documentation/red_hat_directory_server/12/html/co... .
The Red Hat docs say "the nsslapd-haproxy-trusted-ip attribute configures the list of trusted proxy servers." I have at least 5 IP's I would need the 389 DS nodes to trust, but nsslapd-haproxy-trusted-ip does not want to accept a CIDR nor does it seem to accept multiple values. It also doesn't want to accept a comma delimited list of IP's.
Does anyone know the correct syntax/setup for multiple HAProxy trusted IP's? Are there any further docs available?
Thanks, Trev
Hi Trevor, The easiest way will be to use the *dsconf *command and run the *dsconf add* a few times (and do separate delete commands if needed).
dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.1 dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.2 dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.3 dsconf instance config delete nsslapd-haproxy-trusted-ip=192.168.0.2 dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.4
Another way will be to use *ldapmodify *command and do the modification in the same LDAP transaction:
dn: cn=config changetype: modify add: nsslapd-haproxy-trusted-ip nsslapd-haproxy-trusted-ip: 192.168.0.1 - add: nsslapd-haproxy-trusted-ip nsslapd-haproxy-trusted-ip: 192.168.0.2 - add: nsslapd-haproxy-trusted-ip nsslapd-haproxy-trusted-ip: 192.168.0.3
Sorry if it's a bit inconvenient. We have plans to improve the cn=config handling logic for multivalued attributes.
Regards, Simon
On Fri, Nov 8, 2024 at 3:43 PM Trevor Fong via 389-users < 389-users@lists.fedoraproject.org> wrote:
Hi There,
I'm trying to set up 389 DS nodes (2.4.5) for to use the Proxy protocol for HAProxy load-balancing behind F5 load-balancers.
I've been following https://www.port389.org/docs/389ds/howto/howto-test-haproxy-ldaps.html and
https://docs.redhat.com/en/documentation/red_hat_directory_server/12/html/co... .
The Red Hat docs say "the nsslapd-haproxy-trusted-ip attribute configures the list of trusted proxy servers." I have at least 5 IP's I would need the 389 DS nodes to trust, but nsslapd-haproxy-trusted-ip does not want to accept a CIDR nor does it seem to accept multiple values. It also doesn't want to accept a comma delimited list of IP's.
Does anyone know the correct syntax/setup for multiple HAProxy trusted IP's? Are there any further docs available?
Thanks, Trev -- _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hi Simon,
Thanks for the answer - dsconf worked for me. I was trying to add new values of nsslapd-haproxy-trusted-ip using Apache Directory Studio. It seemed to be behaving idiosyncratically and it didn't seem to be adding them, but rather overwriting the previous value. But doing an ldapsearch thereafter showed that it was actually being added as a multi-valued attribute, with multiple entries of nsslapd-haproxy-trusted-ip. I guess ADS works a little funkily for nsslapd-haproxy-trusted-ip? Going forward, I'll use dsconf to manage this attribute.
Thanks, Trev
On Sat, 9 Nov 2024 at 08:29, Simon Pichugin spichugi@redhat.com wrote:
Hi Trevor, The easiest way will be to use the *dsconf *command and run the *dsconf add* a few times (and do separate delete commands if needed).
dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.1 dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.2 dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.3 dsconf instance config delete nsslapd-haproxy-trusted-ip=192.168.0.2 dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.4
Another way will be to use *ldapmodify *command and do the modification in the same LDAP transaction:
dn: cn=config changetype: modify add: nsslapd-haproxy-trusted-ip nsslapd-haproxy-trusted-ip: 192.168.0.1
add: nsslapd-haproxy-trusted-ip nsslapd-haproxy-trusted-ip: 192.168.0.2
add: nsslapd-haproxy-trusted-ip nsslapd-haproxy-trusted-ip: 192.168.0.3
Sorry if it's a bit inconvenient. We have plans to improve the cn=config handling logic for multivalued attributes.
Regards, Simon
On Fri, Nov 8, 2024 at 3:43 PM Trevor Fong via 389-users < 389-users@lists.fedoraproject.org> wrote:
Hi There,
I'm trying to set up 389 DS nodes (2.4.5) for to use the Proxy protocol for HAProxy load-balancing behind F5 load-balancers.
I've been following https://www.port389.org/docs/389ds/howto/howto-test-haproxy-ldaps.html and
https://docs.redhat.com/en/documentation/red_hat_directory_server/12/html/co... .
The Red Hat docs say "the nsslapd-haproxy-trusted-ip attribute configures the list of trusted proxy servers." I have at least 5 IP's I would need the 389 DS nodes to trust, but nsslapd-haproxy-trusted-ip does not want to accept a CIDR nor does it seem to accept multiple values. It also doesn't want to accept a comma delimited list of IP's.
Does anyone know the correct syntax/setup for multiple HAProxy trusted IP's? Are there any further docs available?
Thanks, Trev -- _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hi Simon,
I've added 8 different nsslapd-haproxy-trusted-ip entries to all the nodes in my dev cluster (each being a potential upstream loadbalancer/snat pool node - trying to provide for the different envs the nodes might end up being deployed to in actual use), but after restarting dirsrv.target, most of them get removed somehow. The entries that remain seem to be the loadbalancer nodes healthchecking the dirsrv node. Does this behaviour sound right to you?
eg:
# ldapsearch -H ldap://localhost -x -D "cn=Directory Manager" -W -b "cn=config" -s base -a always "(objectClass=*)" nsslapd-haproxy-trusted-ip -LLL Enter LDAP Password: dn: cn=config nsslapd-haproxy-trusted-ip: 10.x.x.1 nsslapd-haproxy-trusted-ip: 10.x.x.2 nsslapd-haproxy-trusted-ip: 10.x.x.3 nsslapd-haproxy-trusted-ip: 10.x.x.14 nsslapd-haproxy-trusted-ip: 10.x.x.11 nsslapd-haproxy-trusted-ip: 10.x.x.15 nsslapd-haproxy-trusted-ip: 10.x.x.13 nsslapd-haproxy-trusted-ip: 10.x.x.12
[root@eldap-s-van-01 log] 16:02:07 # systemctl restart dirsrv.target [root@eldap-s-van-01 log] 16:02:31 # ldapsearch -H ldap://localhost -x -D "cn=Directory Manager" -W -b "cn=config" -s base -a always "(objectClass=*)" nsslapd-haproxy-trusted-ip -LLL Enter LDAP Password: dn: cn=config nsslapd-haproxy-trusted-ip: 10.19.170.13 nsslapd-haproxy-trusted-ip: 10.19.170.14
Thanks, Trev
On Sat, 9 Nov 2024 at 15:57, Trevor Fong tjfong@gmail.com wrote:
Hi Simon,
Thanks for the answer - dsconf worked for me. I was trying to add new values of nsslapd-haproxy-trusted-ip using Apache Directory Studio. It seemed to be behaving idiosyncratically and it didn't seem to be adding them, but rather overwriting the previous value. But doing an ldapsearch thereafter showed that it was actually being added as a multi-valued attribute, with multiple entries of nsslapd-haproxy-trusted-ip. I guess ADS works a little funkily for nsslapd-haproxy-trusted-ip? Going forward, I'll use dsconf to manage this attribute.
Thanks, Trev
On Sat, 9 Nov 2024 at 08:29, Simon Pichugin spichugi@redhat.com wrote:
Hi Trevor, The easiest way will be to use the *dsconf *command and run the *dsconf add* a few times (and do separate delete commands if needed).
dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.1 dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.2 dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.3 dsconf instance config delete nsslapd-haproxy-trusted-ip=192.168.0.2 dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.4
Another way will be to use *ldapmodify *command and do the modification in the same LDAP transaction:
dn: cn=config changetype: modify add: nsslapd-haproxy-trusted-ip nsslapd-haproxy-trusted-ip: 192.168.0.1
add: nsslapd-haproxy-trusted-ip nsslapd-haproxy-trusted-ip: 192.168.0.2
add: nsslapd-haproxy-trusted-ip nsslapd-haproxy-trusted-ip: 192.168.0.3
Sorry if it's a bit inconvenient. We have plans to improve the cn=config handling logic for multivalued attributes.
Regards, Simon
On Fri, Nov 8, 2024 at 3:43 PM Trevor Fong via 389-users < 389-users@lists.fedoraproject.org> wrote:
Hi There,
I'm trying to set up 389 DS nodes (2.4.5) for to use the Proxy protocol for HAProxy load-balancing behind F5 load-balancers.
I've been following https://www.port389.org/docs/389ds/howto/howto-test-haproxy-ldaps.html and
https://docs.redhat.com/en/documentation/red_hat_directory_server/12/html/co... .
The Red Hat docs say "the nsslapd-haproxy-trusted-ip attribute configures the list of trusted proxy servers." I have at least 5 IP's I would need the 389 DS nodes to trust, but nsslapd-haproxy-trusted-ip does not want to accept a CIDR nor does it seem to accept multiple values. It also doesn't want to accept a comma delimited list of IP's.
Does anyone know the correct syntax/setup for multiple HAProxy trusted IP's? Are there any further docs available?
Thanks, Trev -- _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hi Trevor, Okay, I see... It's the multi-valued config bug, and it actually affected the `dsconf config add`.
So, as of now, you need to use *ldapmodify *command and do the modification in the same LDAP transaction:
dn: cn=config changetype: modify add: nsslapd-haproxy-trusted-ip nsslapd-haproxy-trusted-ip: 192.168.0.1 - add: nsslapd-haproxy-trusted-ip nsslapd-haproxy-trusted-ip: 192.168.0.2 - add: nsslapd-haproxy-trusted-ip nsslapd-haproxy-trusted-ip: 192.168.0.3
This way, it will persist after the restart. We'll be working on the fix in the meantime.
Regards, Simon
On Sat, Nov 9, 2024 at 4:04 PM Trevor Fong tjfong@gmail.com wrote:
Hi Simon,
I've added 8 different nsslapd-haproxy-trusted-ip entries to all the nodes in my dev cluster (each being a potential upstream loadbalancer/snat pool node - trying to provide for the different envs the nodes might end up being deployed to in actual use), but after restarting dirsrv.target, most of them get removed somehow. The entries that remain seem to be the loadbalancer nodes healthchecking the dirsrv node. Does this behaviour sound right to you?
eg:
# ldapsearch -H ldap://localhost -x -D "cn=Directory Manager" -W -b "cn=config" -s base -a always "(objectClass=*)" nsslapd-haproxy-trusted-ip -LLL Enter LDAP Password: dn: cn=config nsslapd-haproxy-trusted-ip: 10.x.x.1 nsslapd-haproxy-trusted-ip: 10.x.x.2 nsslapd-haproxy-trusted-ip: 10.x.x.3 nsslapd-haproxy-trusted-ip: 10.x.x.14 nsslapd-haproxy-trusted-ip: 10.x.x.11 nsslapd-haproxy-trusted-ip: 10.x.x.15 nsslapd-haproxy-trusted-ip: 10.x.x.13 nsslapd-haproxy-trusted-ip: 10.x.x.12
[root@eldap-s-van-01 log] 16:02:07 # systemctl restart dirsrv.target [root@eldap-s-van-01 log] 16:02:31 # ldapsearch -H ldap://localhost -x -D "cn=Directory Manager" -W -b "cn=config" -s base -a always "(objectClass=*)" nsslapd-haproxy-trusted-ip -LLL Enter LDAP Password: dn: cn=config nsslapd-haproxy-trusted-ip: 10.19.170.13 nsslapd-haproxy-trusted-ip: 10.19.170.14
Thanks, Trev
On Sat, 9 Nov 2024 at 15:57, Trevor Fong tjfong@gmail.com wrote:
Hi Simon,
Thanks for the answer - dsconf worked for me. I was trying to add new values of nsslapd-haproxy-trusted-ip using Apache Directory Studio. It seemed to be behaving idiosyncratically and it didn't seem to be adding them, but rather overwriting the previous value. But doing an ldapsearch thereafter showed that it was actually being added as a multi-valued attribute, with multiple entries of nsslapd-haproxy-trusted-ip. I guess ADS works a little funkily for nsslapd-haproxy-trusted-ip? Going forward, I'll use dsconf to manage this attribute.
Thanks, Trev
On Sat, 9 Nov 2024 at 08:29, Simon Pichugin spichugi@redhat.com wrote:
Hi Trevor, The easiest way will be to use the *dsconf *command and run the *dsconf add* a few times (and do separate delete commands if needed).
dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.1 dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.2 dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.3 dsconf instance config delete nsslapd-haproxy-trusted-ip=192.168.0.2 dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.4
Another way will be to use *ldapmodify *command and do the modification in the same LDAP transaction:
dn: cn=config changetype: modify add: nsslapd-haproxy-trusted-ip nsslapd-haproxy-trusted-ip: 192.168.0.1
add: nsslapd-haproxy-trusted-ip nsslapd-haproxy-trusted-ip: 192.168.0.2
add: nsslapd-haproxy-trusted-ip nsslapd-haproxy-trusted-ip: 192.168.0.3
Sorry if it's a bit inconvenient. We have plans to improve the cn=config handling logic for multivalued attributes.
Regards, Simon
On Fri, Nov 8, 2024 at 3:43 PM Trevor Fong via 389-users < 389-users@lists.fedoraproject.org> wrote:
Hi There,
I'm trying to set up 389 DS nodes (2.4.5) for to use the Proxy protocol for HAProxy load-balancing behind F5 load-balancers.
I've been following https://www.port389.org/docs/389ds/howto/howto-test-haproxy-ldaps.html and
https://docs.redhat.com/en/documentation/red_hat_directory_server/12/html/co... .
The Red Hat docs say "the nsslapd-haproxy-trusted-ip attribute configures the list of trusted proxy servers." I have at least 5 IP's I would need the 389 DS nodes to trust, but nsslapd-haproxy-trusted-ip does not want to accept a CIDR nor does it seem to accept multiple values. It also doesn't want to accept a comma delimited list of IP's.
Does anyone know the correct syntax/setup for multiple HAProxy trusted IP's? Are there any further docs available?
Thanks, Trev -- _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
389-users@lists.fedoraproject.org