Configuring HAProxy for LDAP access #339
Comments
|
This existing puppet module might be useful: |
|
I ended up creating it with the above puppet module, with: an instance in my to my magic_castle::site::tags:
haproxy:
- haproxy
profile::sssd::client::domains:
CCLDAP:
id_provider: ldap
auth_provider: ldap
ldap_schema: rfc2307
ldap_uri:
- ldaps://haproxy1
.....
haproxy::merge_options: false
haproxy::defaults_options:
log: global
option: ['tcplog', 'tcpka']
balance: first
timeout server: 1800s
timeout connect: 2s
mode: tcp
haproxy::custom_fragment: |
frontend ldaps_service_front
mode tcp
bind %{lookup('terraform.self.local_ip')}:636
description LDAPS Service
option socket-stats
option tcpka
timeout client 3600s
default_backend ldaps_service_back
backend ldaps_service_back
server ldap-1 <server1>:636 check fall 1 rise 1 inter 2s
server ldap-2 <server1>:636 check fall 1 rise 1 inter 2s
option ssl-hello-chk |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In our cloud, if a VM has a public IP, all connections go through the public IP. When authenticating against an external LDAP, this means that the LDAP firewall configuration needs to be adjusted every time we add a new public VM. A better solution would be to run an HAProxy service on one of the internal nodes (mgmt1, puppet1, or dedicated node) which does not have a public IP. Communications of those VMs all go through the project's router, and the LDAP would only need to be open from the project's LDAP router.
Documentation on configuring a HAProxy service is available on this internal page:
https://wiki.alliancecan.ca/wiki/LDAP_HAProxy
The text was updated successfully, but these errors were encountered: