Hello I was thinking of updating the ldap-check but I think I've a better idea. Macros (well ish).
send-binary 300c0201 # LDAP bind request "<ROOT>" simple send-binary 01 # message ID send-binary 6007 # protocol Op send-binary 0201 # bind request send-binary 03 # LDAP v3 send-binary 04008000 # name, simple authentication expect binary 0a0100 # bind response + result code: success send-binary 30050201034200 # unbind request could be in a file named macros/ldap-simple-bind then the option tcp-check-macro ldap-simple-bind would use it, I know this is close to includes. similarly macros/smtp-helo-quit connect port 25 expect rstring ^220 send QUIT\r\n expect rstring ^221 or from http://blog.haproxy.com/2014/06/06/binary-health-check-with-haproxy-1-5-php-fpmfastcgi-probe-example/ # FCGI_BEGIN_REQUEST send-binary 01 # version send-binary 01 # FCGI_BEGIN_REQUEST send-binary 0001 # request id send-binary 0008 # content length send-binary 00 # padding length send-binary 00 # send-binary 0001 # FCGI responder send-binary 0000 # flags send-binary 0000 # send-binary 0000 # # FCGI_PARAMS send-binary 01 # version send-binary 04 # FCGI_PARAMS send-binary 0001 # request id send-binary 0045 # content length send-binary 03 # padding length: padding for content % 8 = 0 send-binary 00 # send-binary 0e03524551554553545f4d4554484f44474554 # REQUEST_METHOD = GET send-binary 0b055343524950545f4e414d452f70696e67 # SCRIPT_NAME = /ping send-binary 0f055343524950545f46494c454e414d452f70696e67 # SCRIPT_FILENAME = /ping send-binary 040455534552524F4F54 # USER = ROOT send-binary 000000 # padding # FCGI_PARAMS send-binary 01 # version send-binary 04 # FCGI_PARAMS send-binary 0001 # request id send-binary 0000 # content length send-binary 00 # padding length: padding for content % 8 = 0 send-binary 00 # expect binary 706f6e67 # pong (though for items like send-binary 0e03524551554553545f4d4554484f44474554 # REQUEST_METHOD = GET I'd prefer a send-as-binary "REQUEST_METHOD = GET" ) these and many others could be shipped with haproxy. this seems to make sense to me as they are small contained logical items Neil On 30 March 2015 at 23:02, Baptiste <bed...@gmail.com> wrote: > > you should believe it :) > > On Mon, Mar 30, 2015 at 11:34 PM, Neil - HAProxy List > <maillist-hapr...@iamafreeman.com> wrote: > > Hello > > > > Thanks so much. That worked well, I now get > > L7OK/0 in 0ms > > not sure I believe the 0ms but maybe I should > > > > Thanks again, > > > > Neil > > > > On 30 March 2015 at 22:14, Baptiste <bed...@gmail.com> wrote: > >> > >> On Mon, Mar 30, 2015 at 10:33 PM, Neil - HAProxy List > >> <maillist-hapr...@iamafreeman.com> wrote: > >> > Hello > >> > > >> > I'm trying to use ldap-check with active directory and the response > >> > active > >> > directory gives is not one ldap-check is happy to accept > >> > > >> > when I give a 389 directory backend ldap server all is well, when I use > >> > AD I > >> > get 'Not LDAPv3 protocol' > >> > > >> > I've done a little poking about and found that > >> > if ((msglen > 2) || > >> > (memcmp(check->bi->data + 2 + msglen, > >> > "\x02\x01\x01\x61", 4) != 0)) { > >> > set_server_check_status(check, > >> > HCHK_STATUS_L7RSP, "Not LDAPv3 protocol"); > >> > is where I'm getting stopped as msglen is 4 > >> > > >> > Here is tcpdump of 389 directory response (the one that works) 2 packets > >> > 21:29:34.195699 IP 389.ldap > HAPROXY.57109: Flags [.], ack 15, win 905, > >> > options [nop,nop,TS val 856711882 ecr 20393440], length 0 > >> > 0x0000: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@ ;'...E. > >> > 0x0010: 0034 9d07 4000 3f06 3523 ac1b e955 ac18 .4..@ .?.5#...U.. > >> > 0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8010 (.....\...c.w... > >> > 0x0030: 0389 2c07 0000 0101 080a 3310 62ca 0137 ..,.......3.b..7 > >> > 0x0040: 2de0 -. > >> > 21:29:34.195958 IP 389.ldap > HAPROXY.57109: Flags [P.], seq 1:15, ack > >> > 15, > >> > win 905, options [nop,nop,TS val 856711882 ecr 20393440], length 14 > >> > 0x0000: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@ ;'...E. > >> > 0x0010: 0042 9d08 4000 3f06 3514 ac1b e955 ac18 .B..@ .?.5....U.. > >> > 0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8018 (.....\...c.w... > >> > 0x0030: 0389 e878 0000 0101 080a 3310 62ca 0137 ...x......3.b..7 > >> > 0x0040: 2de0 300c 0201 0161 070a 0100 0400 0400 -.0....a........ > >> > > >> > Here is tcpdump of active directory (broken) 1 packet > >> > > >> > 21:25:24.519883 IP ADSERVER.ldap > HAPROXY.57789: Flags [P.], seq 1:23, > >> > ack > >> > 15, win 260, options [nop,nop,TS val 1870785 ecr 20331021], length 22 > >> > 0x0000: 0050 5688 7042 0050 5688 7780 0800 4500 .PV.pB.PV.w...E. > >> > 0x0010: 004a 1d7d 4000 8006 34e3 ac18 280d ac18 .J.}@ ...4...(... > >> > 0x0020: 2810 0185 e1bd 5a3f 2ae7 3ced 7b5b 8018 (.....Z?*.<.{[.. > >> > 0x0030: 0104 1d7a 0000 0101 080a 001c 8bc1 0136 ...z...........6 > >> > 0x0040: 3a0d 3084 0000 0010 0201 0161 8400 0000 :.0........a.... > >> > 0x0050: 070a 0100 0400 0400 > >> > > >> > this was discussed but not finished before see > >> > http://www.serverphorums.com/read.php?10,394453 > >> > > >> > I can see the string \02\01\01\61 is there but not in the correct place > >> > > >> > Anyone have any ideas about fixing this so that both (and possibly > >> > other) > >> > ldap implementations work? > >> > > >> > Thanks, > >> > > >> > Neil > >> > >> > >> Hi Neil > >> > >> Yes you can switch to the tcp-check checking method. > >> I works with binary protocols as well. > >> Here is what I use for the AD in my lab: > >> > >> option tcp-check > >> tcp-check connect port 389 > >> tcp-check send-binary 300c0201 # LDAP bind request "<ROOT>" simple > >> tcp-check send-binary 01 # message ID > >> tcp-check send-binary 6007 # protocol Op > >> tcp-check send-binary 0201 # bind request > >> tcp-check send-binary 03 # LDAP v3 > >> tcp-check send-binary 04008000 # name, simple authentication > >> tcp-check expect binary 0a0100 # bind response + result code: success > >> tcp-check send-binary 30050201034200 # unbind request > >> > >> > >> You could add the same sequence for LDAPs on port 636: > >> tcp-check connect port 636 ssl > >> tcp-check send-binary 300c0201 # LDAP bind request "<ROOT>" simple > >> tcp-check send-binary 01 # message ID > >> tcp-check send-binary 6007 # protocol Op > >> tcp-check send-binary 0201 # bind request > >> tcp-check send-binary 03 # LDAP v3 > >> tcp-check send-binary 04008000 # name, simple authentication > >> tcp-check expect binary 0a0100 # bind response + result code: success > >> tcp-check send-binary 30050201034200 # unbind request > >> > >> > >> Note for myself: put this tip on the blog.. > >> > >> Baptiste > > > >