I would like to ask you for any kind of example that illustrates SSL termination for LDAP and Haproxy (636 on frontent and 389 on backend).
The configuration should look like haproxy:
-haproxy frontend that listens to 636 port
-haproxy backend that receives decrypted traffic from frontend
The examples for 389->389 and 636->636 are present on the Internet:
https://support.snapt.net/hc/en-us/community/posts/360004377189-Configuring-LDAP-haproxy-cfg
However I could not find any samples that illustrate on how to configure LDAP 636->389 ssl termination with Haproxy
You can find a sample that did not work in my environment below:
frontend ldap-636
bind 172.16.94.12:636 ssl crt /vagrant/cert_haproxy.pem no-sslv3 no-tlsv10 ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
mode tcp
option socket-stats
option tcplog
option tcpka
default_backend ldap-389-origin
backend ldap-389-origin
server freeipa.yeskela.tk 172.16.94.11:389 check fall 3 rise 5 inter 5000
mode tcp
balance leastconn
stick-table type ip size 200k expire 30m
timeout server 12s
timeout client 10s
timeout connect 10s
option tcpka
option tcp-check
tcp-check connect port 389
tcp-check send-binary 300c0201 # LDAP bind request "<ROOT>" simple
tcp-check send-binary 01 # message ID
tcp-check send-binary 6007 # protocol Op
tcp-check send-binary 0201 # bind request
tcp-check send-binary 03 # LDAP v3
tcp-check send-binary 04008000 # name, simple authentication
tcp-check expect binary 0a0100 # bind response + result code: success
tcp-check send-binary 30050201034200 # unbind request
Haproxy with the configuration that implements frontend-backend 389-389 works fine, however as soon as I apply the snippet above ldapsearch request returns an error:
ldapsearch -h lb.yeskela.tk -p 636 -x -D "uid=admin,ou=people,o=ipaca" -W -b "" -s base
Enter LDAP Password:
ldap_result: Can't contact LDAP server (-1)
Thank you.
