guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From pburdine <pburd...@gmail.com>
Subject Re: multiple ldap server in guacamole
Date Sat, 29 Apr 2017 20:01:01 GMT
The solution to this is to use an instance of haproxy in front of your
ldap(s)/AD servers.  Here is an example config that works for me against an
AD server with ldaps (starttls), adjust your servers as required:

global
  log           /dev/log local6
  pidfile       /var/run/haproxy.pid
  chroot        /var/lib/haproxy
  maxconn       8192
  user          haproxy
  group         haproxy
  daemon
  stats socket /var/lib/haproxy/stats.socket mode 660 level admin
  # Default SSL material locations
  ca-base /etc/ssl/certs
  crt-base /etc/ssl/private

# LDAP and LDAP/STARTTLS
frontend ldap_service_front
  mode                  tcp
  log                   global
  # Edit this line to bind to your local address (eg 127.0.0.1 or public
one)
  bind                  local_bind_address:port   
  description           LDAP Service
  option                tcplog
  option                logasap
  option                socket-stats
  option                tcpka
  timeout client        5s
  default_backend       ldap_service_back

 
backend ldap_service_back
  server                ldap1 ldap1.domain.local:389 check fall 1 rise 1
inter 2s  # Add first server
  server                ldap2 ldap2.domain.local:389 check fall 1 rise 1
inter 2s  # Add second server, third, etc
  mode                  tcp
  balance               leastconn
  timeout server        2s
  timeout connect       1s
  option                tcpka
  # https://www.mail-archive.com/haproxy@formilux.org/msg17371.html
  option                tcp-check
  tcp-check             connect port 389
  tcp-check             send-binary 300c0201            # LDAP bind request
"<ROOT>" simple
  tcp-check             send-binary 01                  # message ID
  tcp-check             send-binary 6007                # protocol Op
  tcp-check             send-binary 0201                # bind request
  tcp-check             send-binary 03                  # LDAP v3
  tcp-check             send-binary 04008000            # name, simple
authentication
  tcp-check             expect binary 0a0100            # bind response +
result code: success
  tcp-check             send-binary 30050201034200      # unbind request

 
References
https://www.reddit.com/r/sysadmin/comments/46c1im/issue_configuring_haproxy_frontend_to_active/
http://ypbind.de/maus/ldap_ha_loadbalancing.html
https://www.haproxy.com/doc/aloha/7.0/haproxy/tls.html
https://gist.github.com/kevin39/3db2cb05e79fb752c80d




--
View this message in context: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/multiple-ldap-server-in-guacamole-tp851p886.html
Sent from the Apache Guacamole (incubating) - Users mailing list archive at Nabble.com.

Mime
View raw message