On 12/22/2020 2:19 AM, Ondřej Kuzník wrote:
Thanks so much for working on this and sorry haven't had much time to
give it a proper look yet. Will test a bit and review the load balancer
side properly in the new year. A brief look found only some formatting
(whitespace) inconsistencies so far.
C
On Mon, Dec 21, 2020 at 08:41:26PM -0800, Paul B. Henson wrote:
> Haven't heard anything on my pull request since my last update:
>
> https://git.openldap.org/openldap/openldap/-/merge_requests/209
>
> Just wanted to touch base and see if there was anything else in need of
> fixing/changing
Haven't heard anything on my pull request since my last update:
https://git.openldap.org/openldap/openldap/-/merge_requests/209
Just wanted to touch base and see if there was anything else in need of
fixing/changing with it.
Thanks...
On Sat, Dec 05, 2020 at 02:44:12PM -0800, Quanah Gibson-Mount wrote:
> Also looks like I need to make further edits to the devel page on
> submissions, since this info is at the very bottom, and outdated info
> preceeds it.
Ah, yah; I just saw the part about submitting patches in git
format-pat
--On Saturday, December 5, 2020 2:40 PM -0800 Quanah Gibson-Mount
wrote:
I'd like to backport this to OPENLDAP_REL_ENG_2_4 if/when it's accepted,
hopefully that will be ok.
Also looks like I need to make further edits to the devel page on
submissions, since this info is at the very bot
--On Friday, December 4, 2020 5:08 PM -0800 "Paul B. Henson"
wrote:
I've attached my first pass at adding proxy protocol support to slapd. I
haven't updated any documentation/man pages yet, I'll start taking a
look at that while you all eviscerate my code and let me know what needs
to be f
I've attached my first pass at adding proxy protocol support to slapd. I
haven't updated any documentation/man pages yet, I'll start taking a
look at that while you all eviscerate my code and let me know what needs
to be fixed before merging :).
I'd like to backport this to OPENLDAP_REL_ENG_2_4 if
20.11.2020, 23:11, "Paul B. Henson" :On 11/20/2020 4:52 AM, Howard Chu wrote: client and the proxy server. But nobody says the proxy server can't talk to the backend server using its own TLS session. Unless you can point out anywhere in the HAproxy spec that explicitly forbids this.Eee I
On 11/20/2020 4:52 AM, Howard Chu wrote:
client and the proxy server. But nobody says the proxy server can't
talk to the backend server using its own TLS session. Unless you can
point out anywhere in the HAproxy spec that explicitly forbids this.
Eee I don't think it explicitly forbids
On 11/20/20 1:52 PM, Howard Chu wrote:
> Paul B. Henson wrote:
>> On 11/19/2020 1:37 PM, Howard Chu wrote:
>>
>>> This would require that you actually read and process the proxy header
>>> immediately after the accept call. It strikes me that this is the wrong
>>> thing to do, if you also want to s
Paul B. Henson wrote:
> On 11/19/2020 1:37 PM, Howard Chu wrote:
>
>> This would require that you actually read and process the proxy header
>> immediately after the accept call. It strikes me that this is the wrong
>> thing to do, if you also want to support TLS.
>
> Unless I'm misunderstanding
On 11/19/2020 1:37 PM, Howard Chu wrote:
This would require that you actually read and process the proxy header
immediately after the accept call. It strikes me that this is the wrong
thing to do, if you also want to support TLS.
Unless I'm misunderstanding the specification, that is the only
Paul B. Henson wrote:
> On 11/19/2020 10:02 AM, Howard Chu wrote:
>
>>> 1. Config directives for specifying IP address(es) and network(s) expected
>>> and trusted to send proxy protocol header.
>>
>> Sounds like unnecessary work. Just use an ACL.
>
> I don't think an ldap level ACL would work fo
On 11/19/20 5:04 PM, Howard Chu wrote:
> Paul B. Henson wrote:
>> In general, I believe applications listening on a specific port are either
>> expecting the proxy protocol header, or not, I do not think it is dynamically
>> determined. As such, from an implementation perspective, my initial thoug
On 11/19/2020 10:02 AM, Howard Chu wrote:
1. Config directives for specifying IP address(es) and network(s)
expected and trusted to send proxy protocol header.
Sounds like unnecessary work. Just use an ACL.
I don't think an ldap level ACL would work for what he means? I think he
wants to con
On 11/19/2020 12:55 AM, Michael Ströder wrote:
Aaargh! I've missed the binary header part. So forget my former comments.
Version 1 of the protocol is ASCII, version 2 is binary. However, in
both cases the proxy protocol data is removed and processed before the
connection is handed down to th
On 11/19/2020 8:04 AM, Howard Chu wrote:
Yeah, that agrees with my read of the document. I think "ldapp://" and
"ldapsp://" would be usable.
Cool.
Doesn't seem too problematic. I would only support the version 2 (binary)
header,
seems silly to implement the version 1 support for such an old
Michael Ströder wrote:
> On 11/19/20 5:04 PM, Howard Chu wrote:
>> Paul B. Henson wrote:
>>> In general, I believe applications listening on a specific port are either
>>> expecting the proxy protocol header, or not, I do not think it is
>>> dynamically
>>> determined. As such, from an implementa
Paul B. Henson wrote:
> We currently run our openLDAP service on our campus behind an F5 load
> balancer which preserves the IP address of the connecting client through to
> the backend
> servers, which we rely on for a small amount of IP address based
> authorization differentiating between on-
On 11/19/20 9:52 AM, Michael Ströder wrote:
> On 11/19/20 2:49 AM, Paul B. Henson wrote:
>> Amazon's solution for that is to support HAProxy's proxy protocol in
>> their load balancer:
>>
>> https://www.haproxy.com/blog/haproxy/proxy-protocol/
>>
>> Basically, this is an in band signaling mecha
On 11/19/20 2:49 AM, Paul B. Henson wrote:
> Amazon's solution for that is to support HAProxy's proxy protocol in
> their load balancer:
>
> https://www.haproxy.com/blog/haproxy/proxy-protocol/
>
> Basically, this is an in band signaling mechanism that inserts an
> additional header in the in
We currently run our openLDAP service on our campus behind an F5 load
balancer which preserves the IP address of the connecting client through
to the backend servers, which we rely on for a small amount of IP
address based authorization differentiating between on-campus and
off-campus access.
22 matches
Mail list logo
