Loading...

XML

Word

Printable

Type: Story
Resolution: Done-Errata
Priority: Major
Fix Version/s: rhel-8.10
Affects Version/s: rhel-7.4
Component/s: 389-ds-base
Labels:
- refined
- triage

Fixed in Build:
389-ds-1.4-8100020240116191029.945b6f6d
Epic Link:
IDMDS-2751

Pool Team:

rhel-sst-idm-ds
Sub-System Group:

ssg_idm

Dev Target Milestone:
20
Internal Target Milestone:
29
Story Points:
3
ACKs Check:

QE ack, Dev ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Sprint:
None
Release Blocker:
Approved Exception

Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/125522
Test Coverage:

RegressionOnly

Release Note Type:
Feature
Release Note Text:

Hide
.The HAProxy protocol is now supported for the `389-ds-base` package

Previously, Directory Server did not differentiate incoming connections between proxy and non-proxy clients. With this update, you can use the new `nsslapd-haproxy-trusted-ip` multi-valued configuration attribute to configure the list of trusted proxy servers. When `nsslapd-haproxy-trusted-ip` is configured under the `cn=config` entry, Directory Server uses the HAProxy protocol to receive client IP addresses via an additional TCP header so that access control instructions (ACIs) can be correctly evaluated and client traffic can be logged.

If an untrusted proxy server initiates a bind request, Directory Server rejects the request and records the following message to the error log file:

[literal,subs="+quotes"]
....
[time_stamp] conn=5 op=-1 fd=64 Disconnect - Protocol error - Unknown Proxy - P4
....

// For more details, see link:https://access.redhat.com/documentation/en-us/red_hat_directory_server/12/html/configuration_and_schema_reference/assembly_core-server-configuration-attributes_config-schema-reference-title#nsslapd-haproxy-trusted-ip_assembly_cn-config[nsslapd-haproxy-trusted-ip]

Show
.The HAProxy protocol is now supported for the `389-ds-base` package Previously, Directory Server did not differentiate incoming connections between proxy and non-proxy clients. With this update, you can use the new `nsslapd-haproxy-trusted-ip` multi-valued configuration attribute to configure the list of trusted proxy servers. When `nsslapd-haproxy-trusted-ip` is configured under the `cn=config` entry, Directory Server uses the HAProxy protocol to receive client IP addresses via an additional TCP header so that access control instructions (ACIs) can be correctly evaluated and client traffic can be logged. If an untrusted proxy server initiates a bind request, Directory Server rejects the request and records the following message to the error log file: [literal,subs="+quotes"] .... [time_stamp] conn=5 op=-1 fd=64 Disconnect - Protocol error - Unknown Proxy - P4 .... // For more details, see link: https://access.redhat.com/documentation/en-us/red_hat_directory_server/12/html/configuration_and_schema_reference/assembly_core-server-configuration-attributes_config-schema-reference-title#nsslapd-haproxy-trusted-ip_assembly_cn-config [nsslapd-haproxy-trusted-ip]
Release Note Status:
Done

Experience:
Architecture:

All
Bugzilla Bug:
RHBZ: 1382123

PX Impact Score:
PX Priority Data:
PX Review Complete:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Description of problem:

Please add support to 389-base for the PROXY protocol for ACI evaluation and also for logging client queries. The proxy protocol is described here:

http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt

Background:
As a network engineer, I can say that having a load balancer in path in your network is a bad idea. It is bad because it becomes part of the network and it becomes the weakest link. It limits the capacity of the network and becomes additional points of failure in the network. The ideal place for a load balancer is on the side, with the client traffic being network address translated to address ranges from SNAT pools, where the server recieving the traffic never directly sees the IP address of the client.

Loadbalancing out of path traffic to a group of ldap servers presents a semi-unique problem when ACIs must be evaluated against client IP address and also for client logging. The PROXY protocol provides provides this information to the backend servers via an additional TCP header so that the ACIs can be correctly evaluated and client traffic can be logged.

A great example of non-http software that is capable of using the additional tcp header is the Postfix MTA. There is an announcement here:

http://permalink.gmane.org/gmane.comp.web.haproxy/8881

Version-Release number of selected component (if applicable):

Thank you for your consideration.

clones

RHEL-5130 [RFE] Add PROXY protocol support to 389-ds-base via confiuration item - similar to Postfix [rhel-9.4.0]

Closed

links to

RHBA-2023:125522 389-ds:1.4 bug fix and enhancement update

Test Requirement (RHDS-14906)

mentioned on

Commit - Bump version to 1.4.3.39-1

Merge request - Bump version to 1.4.3.39-1

Assignee:: Simon Pichugin

Reporter:: Matthew Galgoci

QA Contact:: Barbora Simonova

Doc Contact:: Evgenia Martyniuk

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Created:: 2023/12/12 1:44 PM

Updated:: 2024/09/06 12:19 PM

Resolved:: 2024/05/22 9:40 AM

Dev Target end:: 2024/01/15

Target end:: 2024/03/18

Release Date:: 2024/05/22

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates