Thursday, November 14, 2024

[389-users] Re: Setting Up 389 DS Nodes for HAProxy Behind F5 Load Balancers

Hi Trevor,
Okay, I see... It's the multi-valued config bug, and it actually affected the `dsconf config add`.

So, as of now, you need to use ldapmodify command and do the modification in the same LDAP transaction:

  dn: cn=config
  changetype: modify
  add: nsslapd-haproxy-trusted-ip
  nsslapd-haproxy-trusted-ip: 192.168.0.1 
  -
  add: nsslapd-haproxy-trusted-ip
  nsslapd-haproxy-trusted-ip: 192.168.0.2
  -
  add: nsslapd-haproxy-trusted-ip
  nsslapd-haproxy-trusted-ip: 192.168.0.3

This way, it will persist after the restart.
We'll be working on the fix in the meantime.

Regards,
Simon

On Sat, Nov 9, 2024 at 4:04 PM Trevor Fong <tjfong@gmail.com> wrote:
Hi Simon,

I've added 8 different nsslapd-haproxy-trusted-ip entries to all the nodes in my dev cluster (each being a potential upstream loadbalancer/snat pool node - trying to provide for the different envs the nodes might end up being deployed to in actual use), but after restarting dirsrv.target, most of them get removed somehow.  The entries that remain seem to be the loadbalancer nodes healthchecking the dirsrv node.  Does this behaviour sound right to you?

eg:

# ldapsearch -H ldap://localhost  -x -D "cn=Directory Manager" -W -b "cn=config" -s base -a always "(objectClass=*)" nsslapd-haproxy-trusted-ip -LLL
Enter LDAP Password:
dn: cn=config
nsslapd-haproxy-trusted-ip: 10.x.x.1
nsslapd-haproxy-trusted-ip: 10.x.x.2
nsslapd-haproxy-trusted-ip: 10.x.x.3
nsslapd-haproxy-trusted-ip: 10.x.x.14
nsslapd-haproxy-trusted-ip: 10.x.x.11
nsslapd-haproxy-trusted-ip: 10.x.x.15
nsslapd-haproxy-trusted-ip: 10.x.x.13
nsslapd-haproxy-trusted-ip: 10.x.x.12

[root@eldap-s-van-01 log] 16:02:07
# systemctl restart dirsrv.target
[root@eldap-s-van-01 log] 16:02:31
# ldapsearch -H ldap://localhost  -x -D "cn=Directory Manager" -W -b "cn=config" -s base -a always "(objectClass=*)" nsslapd-haproxy-trusted-ip -LLL
Enter LDAP Password:
dn: cn=config
nsslapd-haproxy-trusted-ip: 10.19.170.13
nsslapd-haproxy-trusted-ip: 10.19.170.14

Thanks,
Trev

On Sat, 9 Nov 2024 at 15:57, Trevor Fong <tjfong@gmail.com> wrote:
Hi Simon,

Thanks for the answer - dsconf worked for me. 
I was trying to add new values of nsslapd-haproxy-trusted-ip using Apache Directory Studio.  It seemed to be behaving idiosyncratically and it didn't seem to be adding them, but rather overwriting the previous value.  But doing an ldapsearch thereafter showed that it was actually being added as a multi-valued attribute, with multiple entries of nsslapd-haproxy-trusted-ip.  I guess ADS works a little funkily for nsslapd-haproxy-trusted-ip?
Going forward, I'll use dsconf to manage this attribute.

Thanks,
Trev

On Sat, 9 Nov 2024 at 08:29, Simon Pichugin <spichugi@redhat.com> wrote:
Hi Trevor,
The easiest way will be to use the dsconf command and run the dsconf add a few times (and do separate delete commands if needed).

  dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.1 
  dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.2
  dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.3
  dsconf instance config delete nsslapd-haproxy-trusted-ip=192.168.0.2 
  dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.4

Another way will be to use ldapmodify command and do the modification in the same LDAP transaction:

  dn: cn=config
  changetype: modify
  add: nsslapd-haproxy-trusted-ip
  nsslapd-haproxy-trusted-ip: 192.168.0.1 
  -
  add: nsslapd-haproxy-trusted-ip
  nsslapd-haproxy-trusted-ip: 192.168.0.2
  -
  add: nsslapd-haproxy-trusted-ip
  nsslapd-haproxy-trusted-ip: 192.168.0.3

Sorry if it's a bit inconvenient. We have plans to improve the cn=config handling logic for multivalued attributes.

Regards,
Simon
 

On Fri, Nov 8, 2024 at 3:43 PM Trevor Fong via 389-users <389-users@lists.fedoraproject.org> wrote:
Hi There,

I'm trying to set up 389 DS nodes (2.4.5) for to use the Proxy protocol for HAProxy load-balancing behind F5 load-balancers.  


The Red Hat docs say "the nsslapd-haproxy-trusted-ip attribute configures the list of trusted proxy servers."  I have at least 5 IP's I would need the 389 DS nodes to trust, but nsslapd-haproxy-trusted-ip does not want to accept a CIDR nor does it seem to accept multiple values.  It also doesn't want to accept a comma delimited list of IP's.  

Does anyone know the correct syntax/setup for multiple HAProxy trusted IP's?
Are there any further docs available?

Thanks,
Trev
--
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)