HAproxy Configuration to AD Active Directory Servers
Quick configuration to proxy AD requests through another server. Set the following on the proxy server. Note the frontend server is on port 443 whereas the backend server is on port 389:
# vi /etc/haproxy18/haproxy.cfg
global
log 127.0.0.1 local0 debug
stats socket /var/run/haproxy.sock mode 0600 level admin
# stats socket /var/lib/haproxy/stats
maxconn 4000
user haproxy
group haproxy
daemon
debug
defaults
mode tcp
log global
option dontlognull
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
frontend ldap-ad-front
log 127.0.0.1 local0 debug
bind terra01:443
mode tcp
option tcplog
default_backend ldap-ad-back
backend ldap-ad-back
log /dev/log local0 debug
mode tcp
balance roundrobin
default-server inter 3s rise 2
server mds.xyz mds.xyz:389 maxconn 1024 check
option tcpka
timeout server 20s
timeout connect 10s
# Below, ldap check procedure :
option tcp-check
tcp-check connect port 389
tcp-check send-binary 300c0201 # LDAP bind request "" simple
tcp-check send-binary 01 # message ID
tcp-check send-binary 6007 # protocol Op
tcp-check send-binary 0201 # bind request
tcp-check send-binary 03 # LDAP v3
tcp-check send-binary 04008000 # name, simple authentication
tcp-check expect binary 0a0100 # bind response + result code: success
tcp-check send-binary 30050201034200 # unbind request
listen stats
bind *:9000
mode http
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /haproxy-stats
stats auth admin:s0meP@ssw0rd
Firewall zone file:
# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<port protocol="tcp" port="22"/>
<port protocol="udp" port="22"/>
<port protocol="udp" port="443"/>
<port protocol="tcp" port="443"/>
<port protocol="udp" port="636"/>
<port protocol="tcp" port="636"/>
<port protocol="udp" port="3269"/>
<port protocol="tcp" port="3269"/>
<port protocol="udp" port="3268"/>
<port protocol="tcp" port="3268"/>
<port protocol="udp" port="389"/>
<port protocol="tcp" port="389"/>
<port protocol="udp" port="9000"/>
<port protocol="tcp" port="9000"/>
<port protocol="udp" port="137"/>
<port protocol="udp" port="138"/>
<port protocol="udp" port="2049"/>
</zone>
Test with the following from another host:
ldapsearch -W -b "DC=MDS,DC=XYZ" -h 10.0.0.100:443 -S sAMAccountName -D resu@mds.xyz '(&(objectClass=user)(sAMAccountName=*resu*))'
Command reference:
yum install haproxy18.x86_64
yum install openldap-clients
systemctl restart haproxy18
systemctl status haproxy18 -l
vi /etc/haproxy18/haproxy.cfg
vi /etc/firewalld/zones/public.xml
setsebool -P haproxy_connect_any=1
netstat -pnltu|grep -Ei haproxy
Cheers,
