logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in  RSS Apache Lounge  


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.


Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: balancer config
Author
sailor



Joined: 17 Apr 2015
Posts: 47
Location: US

PostPosted: Wed 26 May '21 16:53    Post subject: balancer config Reply with quote

I'm trying setup a Apache balancer with an LDAP.

Listen *:490

<Proxy balancer://mycluster>
BalancerMember ldap://ldap.mycompany.com:490 retry=30
</Proxy>

ProxyPass / balancer://mycluster/

ProxyPreserveHost On

ProxyPassReverse / ldap://ldap.mycompany.com:490


I can telnet to 490 ok. I can ping ldap.mycompany.com ok.

I know I have my Softerra LDAPBRowser setup ok as I can connect to regular ip ok. But LDAP Browser reports COM error. Detail "error loading RootDSE entry from ldap.mycompany.com:490."

490 is non SSL port for our ldap as 389 is used by another ldap instance.
Back to top
tangent



Joined: 16 Aug 2020
Posts: 99
Location: UK

PostPosted: Thu 27 May '21 21:31    Post subject: Reply with quote

I don't believe Apache currently supports proxying for LDAP.

If you look at https://httpd.apache.org/docs/current/mod/mod_proxy.html it says to provide proxy services you need:

1) mod_proxy, which provides basic proxy capabilities
2) mod_proxy_balancer and one or more balancer modules if load balancing is required
3) one or more proxy scheme, or protocol, modules:

Unfortunately, so far no one has produced a mod_proxy_ldap module for Apache, to service the LDAP protocol.

Because of LDAP bind requirements, any LDAP proxy service must provide session stickiness based on TCP connection details (there are no HTTP headers / cookies available with LDAP).

Any number of commercial load balancer applicances support LDAP, e.g. F5, Incapsula, and there are equally other software alternatives such as HAProxy (and dare I say Nginx), which purportedly can load balance LDAP.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6966
Location: Germany, Next to Hamburg

PostPosted: Fri 28 May '21 10:03    Post subject: Reply with quote

mod_ldap[1] "might" be able to.

From using it for auth with mod_authnz_ldap in apache, I know what you have to add a "dc=example,dc=com?uid?one" to the ldap url. It might be worth trying it.

I have no ldap server to test this.




[1] http://httpd.apache.org/docs/current/mod/mod_ldap.html
Back to top
sailor



Joined: 17 Apr 2015
Posts: 47
Location: US

PostPosted: Fri 28 May '21 15:12    Post subject: Reply with quote

This shows how to use for http auth though:

https://gist.github.com/alivesay/b81cd86457a1590e0cfd49725494056c

I tried nginx and it seems to work:

stream {
upstream ldap {
# LDAPS terminates here
server myldap1.com:390;
server myldap2.com:390;
server myldap3.com:390;
server myldap4.com:390;

}

server {
listen 390;
proxy_pass ldap;
proxy_timeout 3s;
proxy_connect_timeout 1s;
}



}

Just wish I had better visibility with their free version. The other thing would be how to setup a second lb in case the one is down during a reboot.
Back to top


Reply to topic   Topic: balancer config View previous topic :: View next topic
Post new topic   Forum Index -> Apache