-
Story
-
Resolution: Done-Errata
-
Major
-
rhel-7.4
-
389-ds-base-2.4.5-5.el9_4
-
1
-
rhel-sst-idm-ds
-
ssg_idm
-
12
-
29
-
3
-
QE ack, Dev ack
-
False
-
-
Yes
-
389DS Sprint 65
-
Approved Exception
-
Enhancement
-
-
Done
-
-
All
-
None
Description of problem:
Please add support to 389-base for the PROXY protocol for ACI evaluation and also for logging client queries. The proxy protocol is described here:
http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
Background:
As a network engineer, I can say that having a load balancer in path in your network is a bad idea. It is bad because it becomes part of the network and it becomes the weakest link. It limits the capacity of the network and becomes additional points of failure in the network. The ideal place for a load balancer is on the side, with the client traffic being network address translated to address ranges from SNAT pools, where the server recieving the traffic never directly sees the IP address of the client.
Loadbalancing out of path traffic to a group of ldap servers presents a semi-unique problem when ACIs must be evaluated against client IP address and also for client logging. The PROXY protocol provides provides this information to the backend servers via an additional TCP header so that the ACIs can be correctly evaluated and client traffic can be logged.
A great example of non-http software that is capable of using the additional tcp header is the Postfix MTA. There is an announcement here:
http://permalink.gmane.org/gmane.comp.web.haproxy/8881
Version-Release number of selected component (if applicable):
Thank you for your consideration.
- is cloned by
-
RHEL-19240 [RFE] Add PROXY protocol support to 389-ds-base via confiuration item - similar to Postfix [rhel-8.10.0]
- Closed
- external trackers
- links to
-
RHBA-2023:125074 389-ds-base update
- mentioned on