我想问你有没有示例说明了LDAP和Haproxy的SSL终止(前端为636,后端为389)。
配置应类似于haproxy:
监听636端口的haproxy前端
-从后端接收解密流量的haproxy后端
Internet上有389-> 389和636-> 636的示例:
https://support.snapt.net/hc/en-us/community/posts/360004377189-Configuring-LDAP-haproxy-cfg
但是我找不到任何示例来说明如何配置使用Haproxy的LDAP 636-> 389 SSL终止
您可以在下面的环境中找到无法使用的示例:
frontend ldap-636
bind 172.16.94.12:636 ssl crt /vagrant/cert_haproxy.pem no-sslv3 no-tlsv10 ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
mode tcp
option socket-stats
option tcplog
option tcpka
default_backend ldap-389-origin
backend ldap-389-origin
server freeipa.yeskela.tk 172.16.94.11:389 check fall 3 rise 5 inter 5000
mode tcp
balance leastconn
stick-table type ip size 200k expire 30m
timeout server 12s
timeout client 10s
timeout connect 10s
option tcpka
option tcp-check
tcp-check connect port 389
tcp-check send-binary 300c0201 # LDAP bind request "<ROOT>" simple
tcp-check send-binary 01 # message ID
tcp-check send-binary 6007 # protocol Op
tcp-check send-binary 0201 # bind request
tcp-check send-binary 03 # LDAP v3
tcp-check send-binary 04008000 # name, simple authentication
tcp-check expect binary 0a0100 # bind response + result code: success
tcp-check send-binary 30050201034200 # unbind request
具有实现frontend-backend 389-389的配置的代理工作正常,但是,一旦我在ldapsearch请求上方应用了代码段,就会返回错误:
ldapsearch -h lb.yeskela.tk -p 636 -x -D "uid=admin,ou=people,o=ipaca" -W -b "" -s base
Enter LDAP Password:
ldap_result: Can't contact LDAP server (-1)
谢谢。
您正在使用的模式是simple TCP pass-through -因为与HTTP模式不同,TCP模式不支持协议,所以我认为无法根据需要执行SSL卸载。