Hi Simon,
I've added 8 different nsslapd-haproxy-trusted-ip entries to all the nodes in my dev cluster (each being a potential upstream loadbalancer/snat pool node - trying to provide for the different envs the nodes might end up being deployed to in actual use), but after restarting dirsrv.target, most of them get removed somehow. The entries that remain seem to be the loadbalancer nodes healthchecking the dirsrv node. Does this behaviour sound right to you?
eg:
# ldapsearch -H ldap://localhost -x -D "cn=Directory Manager" -W -b "cn=config" -s base -a always "(objectClass=*)" nsslapd-haproxy-trusted-ip -LLL
Enter LDAP Password:
dn: cn=config
nsslapd-haproxy-trusted-ip: 10.x.x.1
nsslapd-haproxy-trusted-ip: 10.x.x.2
nsslapd-haproxy-trusted-ip: 10.x.x.3
nsslapd-haproxy-trusted-ip: 10.x.x.14
nsslapd-haproxy-trusted-ip: 10.x.x.11
nsslapd-haproxy-trusted-ip: 10.x.x.15
nsslapd-haproxy-trusted-ip: 10.x.x.13
nsslapd-haproxy-trusted-ip: 10.x.x.12
[root@eldap-s-van-01 log] 16:02:07
# systemctl restart dirsrv.target
[root@eldap-s-van-01 log] 16:02:31
# ldapsearch -H ldap://localhost -x -D "cn=Directory Manager" -W -b "cn=config" -s base -a always "(objectClass=*)" nsslapd-haproxy-trusted-ip -LLL
Enter LDAP Password:
dn: cn=config
nsslapd-haproxy-trusted-ip: 10.19.170.13
nsslapd-haproxy-trusted-ip: 10.19.170.14
eg:
# ldapsearch -H ldap://localhost -x -D "cn=Directory Manager" -W -b "cn=config" -s base -a always "(objectClass=*)" nsslapd-haproxy-trusted-ip -LLL
Enter LDAP Password:
dn: cn=config
nsslapd-haproxy-trusted-ip: 10.x.x.1
nsslapd-haproxy-trusted-ip: 10.x.x.2
nsslapd-haproxy-trusted-ip: 10.x.x.3
nsslapd-haproxy-trusted-ip: 10.x.x.14
nsslapd-haproxy-trusted-ip: 10.x.x.11
nsslapd-haproxy-trusted-ip: 10.x.x.15
nsslapd-haproxy-trusted-ip: 10.x.x.13
nsslapd-haproxy-trusted-ip: 10.x.x.12
[root@eldap-s-van-01 log] 16:02:07
# systemctl restart dirsrv.target
[root@eldap-s-van-01 log] 16:02:31
# ldapsearch -H ldap://localhost -x -D "cn=Directory Manager" -W -b "cn=config" -s base -a always "(objectClass=*)" nsslapd-haproxy-trusted-ip -LLL
Enter LDAP Password:
dn: cn=config
nsslapd-haproxy-trusted-ip: 10.19.170.13
nsslapd-haproxy-trusted-ip: 10.19.170.14
Thanks,
Trev
On Sat, 9 Nov 2024 at 15:57, Trevor Fong <tjfong@gmail.com> wrote:
Hi Simon,Thanks for the answer - dsconf worked for me.I was trying to add new values of nsslapd-haproxy-trusted-ip using Apache Directory Studio. It seemed to be behaving idiosyncratically and it didn't seem to be adding them, but rather overwriting the previous value. But doing an ldapsearch thereafter showed that it was actually being added as a multi-valued attribute, with multiple entries of nsslapd-haproxy-trusted-ip. I guess ADS works a little funkily for nsslapd-haproxy-trusted-ip?Going forward, I'll use dsconf to manage this attribute.Thanks,TrevOn Sat, 9 Nov 2024 at 08:29, Simon Pichugin <spichugi@redhat.com> wrote:Hi Trevor,The easiest way will be to use the dsconf command and run the dsconf add a few times (and do separate delete commands if needed).dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.1dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.2dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.3dsconf instance config delete nsslapd-haproxy-trusted-ip=192.168.0.2dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.4Another way will be to use ldapmodify command and do the modification in the same LDAP transaction:
dn: cn=configchangetype: modifyadd: nsslapd-haproxy-trusted-ipnsslapd-haproxy-trusted-ip: 192.168.0.1-add: nsslapd-haproxy-trusted-ipnsslapd-haproxy-trusted-ip: 192.168.0.2-add: nsslapd-haproxy-trusted-ipnsslapd-haproxy-trusted-ip: 192.168.0.3Sorry if it's a bit inconvenient. We have plans to improve the cn=config handling logic for multivalued attributes.Regards,SimonOn Fri, Nov 8, 2024 at 3:43 PM Trevor Fong via 389-users <389-users@lists.fedoraproject.org> wrote:Hi There,--I'm trying to set up 389 DS nodes (2.4.5) for to use the Proxy protocol for HAProxy load-balancing behind F5 load-balancers.I've been following
https://www.port389.org/docs/389ds/howto/howto-test-haproxy-ldaps.htmlThe Red Hat docs say "the nsslapd-haproxy-trusted-ip attribute configures the list of trusted proxy servers." I have at least 5 IP's I would need the 389 DS nodes to trust, but nsslapd-haproxy-trusted-ip does not want to accept a CIDR nor does it seem to accept multiple values. It also doesn't want to accept a comma delimited list of IP's.Does anyone know the correct syntax/setup for multiple HAProxy trusted IP's?Are there any further docs available?Thanks,Trev
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
No comments:
Post a Comment