******************************************** Use HAProxy and OpenLDAP with proxy protocol ******************************************** `HAProxy `_ is a famous TCP/HTTP proxy and balancer that can be used in front of OpenLDAP for high availability purpose. One of the caveats of this setup is that the IP address written in OpenLDAP logs is the one of the HAProxy server, and not the one of the LDAP client. But since OpenLDAP 2.5, you can enable the proxy protocol (``pldap://`` and ``pldaps://``) and get the real IP in OpenLDAP logs. Proxy protocol in OpenLDAP ========================== OpenLDAP must listen on additional ports for LDAP and LDAPS with proxy protocol enabled. With OpenLDAP LTB packages, just configure ``slapd-cli``: .. code-block:: console vi /usr/local/openldap/etc/openldap/slapd-cli.conf .. code-block:: bash PIP="*" PPORT="8389" PSSLIP="*" PSSLPORT="8636" SLAPD_SERVICES="ldap://$IP:$PORT ldaps://$SSLIP:$SSLPORT ldapi://$LDAPI_SOCKETURL pldap://$PIP:$PPORT pldaps://$PSSLIP:$PSSLPORT" Then restart OpenLDAP: .. code-block:: console slapd-cli restart Proxy protocol in HAProxy ========================= A standard HAProxy configuration as OpenLDAP loadbalancer should be like: .. code-block:: unixconfig frontend openldap bind *:389 default_backend openldap_servers backend openldap_servers balance roundrobin server openldap1 openldap1:389 check server openldap2 openldap2:389 check frontend openldap_ssl bind *:636 default_backend openldap_servers_ssl backend openldap_servers_ssl balance roundrobin server openldap1 openldap1:636 check check-ssl ca-file /etc/ssl/certs/CA.crt server openldap2 openldap2:636 check check-ssl ca-file /etc/ssl/certs/CA.crt The only change needed is to send the proxy v2 protocol to backend servers (``send-proxy-v2``) and use the corresponding proxy ports (``8369`` and ``8636``): .. code-block:: unixconfig frontend openldap bind *:389 default_backend openldap_servers backend openldap_servers balance roundrobin server openldap1 openldap1:8389 check send-proxy-v2 server openldap2 openldap2:8389 check send-proxy-v2 frontend openldap_ssl bind *:636 default_backend openldap_servers_ssl backend openldap_servers_ssl balance roundrobin server openldap1 openldap1:8636 check send-proxy-v2 check-ssl ca-file /etc/ssl/certs/CA.crt server openldap2 openldap2:8636 check send-proxy-v2 check-ssl ca-file /etc/ssl/certs/CA.crt Restart HAProxy: .. code-block:: console systemctl restart haproxy Logs ==== Now in OpenLDAP logs, you should see the real client IP: .. code-block:: console proxyp(17): via IP=10.10.10.10:12345 conn=1000 fd=17 ACCEPT from IP=192.168.1.1:23456 (IP=0.0.0.0:8389) conn=1000 op=0 BIND dn="" method=128 conn=1000 op=0 RESULT tag=97 err=0 qtime=0.000034 etime=0.000150 text= conn=1000 fd=17 closed