Header Shadow Image

HAproxy Configuration to AD Active Directory Servers

Quick configuration to proxy AD requests through another server. Set the following on the proxy server. Note the frontend server is on port 443 whereas the backend server is on port 389:

# vi /etc/haproxy18/haproxy.cfg
    log local0 debug
    stats       socket /var/run/haproxy.sock mode 0600 level admin
    # stats     socket /var/lib/haproxy/stats
    maxconn     4000
    user        haproxy
    group       haproxy

    mode                    tcp
    log                     global
    option                  dontlognull
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000

frontend ldap-ad-front
    log                      local0          debug
    bind                        terra01:443
    mode                        tcp
    option                      tcplog
    default_backend             ldap-ad-back

backend ldap-ad-back
    log        /dev/log local0 debug
    mode       tcp
    balance    roundrobin
    default-server inter 3s rise 2
    server     mds.xyz mds.xyz:389 maxconn 1024 check

    option                tcpka
    timeout server        20s
    timeout connect       10s

    # Below, ldap check procedure :
    option tcp-check
    tcp-check connect port 389
    tcp-check send-binary 300c0201                                      # LDAP bind request "" simple
    tcp-check send-binary 01                                            # message ID
    tcp-check send-binary 6007                                          # protocol Op
    tcp-check send-binary 0201                                          # bind request
    tcp-check send-binary 03                                            # LDAP v3
    tcp-check send-binary 04008000                                      # name, simple authentication
    tcp-check expect binary 0a0100                                      # bind response + result code: success
    tcp-check send-binary 30050201034200                                # unbind request

listen stats
    bind *:9000
    mode http
    stats enable
    stats hide-version
    stats realm Haproxy\ Statistics
    stats uri /haproxy-stats
    stats auth admin:s0meP@ssw0rd

Firewall zone file:

# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<port protocol="tcp" port="22"/>
<port protocol="udp" port="22"/>
<port protocol="udp" port="443"/>
<port protocol="tcp" port="443"/>
<port protocol="udp" port="636"/>
<port protocol="tcp" port="636"/>
<port protocol="udp" port="3269"/>
<port protocol="tcp" port="3269"/>
<port protocol="udp" port="3268"/>
<port protocol="tcp" port="3268"/>
<port protocol="udp" port="389"/>
<port protocol="tcp" port="389"/>
<port protocol="udp" port="9000"/>
<port protocol="tcp" port="9000"/>
<port protocol="udp" port="137"/>
<port protocol="udp" port="138"/>
<port protocol="udp" port="2049"/>

Test with the following from another host:

ldapsearch -W -b "DC=MDS,DC=XYZ" -h -S sAMAccountName -D resu@mds.xyz '(&(objectClass=user)(sAMAccountName=*resu*))'

Command reference:

yum install haproxy18.x86_64
yum install openldap-clients
systemctl restart haproxy18
systemctl status haproxy18 -l
vi /etc/haproxy18/haproxy.cfg
vi /etc/firewalld/zones/public.xml
setsebool -P haproxy_connect_any=1
netstat -pnltu|grep -Ei haproxy


Leave a Reply

You must be logged in to post a comment.

  Copyright © 2003 - 2013 Tom Kacperski (microdevsys.com). All rights reserved.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License