Hi Simon, I've added 8 different nsslapd-haproxy-trusted-ip entries to all the nodes in my dev cluster (each being a potential upstream loadbalancer/snat pool node - trying to provide for the different envs the nodes might end up being deployed to in actual use), but after restarting dirsrv.target, most of them get removed somehow. The entries that remain seem to be the loadbalancer nodes healthchecking the dirsrv node. Does this behaviour sound right to you?
eg: # ldapsearch -H ldap://localhost -x -D "cn=Directory Manager" -W -b "cn=config" -s base -a always "(objectClass=*)" nsslapd-haproxy-trusted-ip -LLL Enter LDAP Password: dn: cn=config nsslapd-haproxy-trusted-ip: 10.x.x.1 nsslapd-haproxy-trusted-ip: 10.x.x.2 nsslapd-haproxy-trusted-ip: 10.x.x.3 nsslapd-haproxy-trusted-ip: 10.x.x.14 nsslapd-haproxy-trusted-ip: 10.x.x.11 nsslapd-haproxy-trusted-ip: 10.x.x.15 nsslapd-haproxy-trusted-ip: 10.x.x.13 nsslapd-haproxy-trusted-ip: 10.x.x.12 [root@eldap-s-van-01 log] 16:02:07 # systemctl restart dirsrv.target [root@eldap-s-van-01 log] 16:02:31 # ldapsearch -H ldap://localhost -x -D "cn=Directory Manager" -W -b "cn=config" -s base -a always "(objectClass=*)" nsslapd-haproxy-trusted-ip -LLL Enter LDAP Password: dn: cn=config nsslapd-haproxy-trusted-ip: 10.19.170.13 nsslapd-haproxy-trusted-ip: 10.19.170.14 Thanks, Trev On Sat, 9 Nov 2024 at 15:57, Trevor Fong <tjf...@gmail.com> wrote: > Hi Simon, > > Thanks for the answer - dsconf worked for me. > I was trying to add new values of nsslapd-haproxy-trusted-ip using Apache > Directory Studio. It seemed to be behaving idiosyncratically and it didn't > seem to be adding them, but rather overwriting the previous value. But > doing an ldapsearch thereafter showed that it was actually being added as a > multi-valued attribute, with multiple entries of > nsslapd-haproxy-trusted-ip. I guess ADS works a little funkily > for nsslapd-haproxy-trusted-ip? > Going forward, I'll use dsconf to manage this attribute. > > Thanks, > Trev > > On Sat, 9 Nov 2024 at 08:29, Simon Pichugin <spich...@redhat.com> wrote: > >> Hi Trevor, >> The easiest way will be to use the *dsconf *command and run the *dsconf >> add* a few times (and do separate delete commands if needed). >> >> dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.1 >> dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.2 >> dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.3 >> dsconf instance config delete nsslapd-haproxy-trusted-ip=192.168.0.2 >> dsconf instance config add nsslapd-haproxy-trusted-ip=192.168.0.4 >> >> Another way will be to use *ldapmodify *command and do the modification >> in the same LDAP transaction: >> >> dn: cn=config >> changetype: modify >> add: nsslapd-haproxy-trusted-ip >> nsslapd-haproxy-trusted-ip: 192.168.0.1 >> - >> add: nsslapd-haproxy-trusted-ip >> nsslapd-haproxy-trusted-ip: 192.168.0.2 >> - >> add: nsslapd-haproxy-trusted-ip >> nsslapd-haproxy-trusted-ip: 192.168.0.3 >> >> Sorry if it's a bit inconvenient. We have plans to improve the cn=config >> handling logic for multivalued attributes. >> >> Regards, >> Simon >> >> >> On Fri, Nov 8, 2024 at 3:43 PM Trevor Fong via 389-users < >> 389-users@lists.fedoraproject.org> wrote: >> >>> Hi There, >>> >>> I'm trying to set up 389 DS nodes (2.4.5) for to use the Proxy protocol >>> for HAProxy load-balancing behind F5 load-balancers. >>> >>> I've been following >>> https://www.port389.org/docs/389ds/howto/howto-test-haproxy-ldaps.html >>> and >>> >>> https://docs.redhat.com/en/documentation/red_hat_directory_server/12/html/configuration_and_schema_reference/assembly_core-server-configuration-attributes_config-schema-reference-title#nsslapd-haproxy-trusted-ip_assembly_cn-config >>> . >>> >>> The Red Hat docs say "the nsslapd-haproxy-trusted-ip attribute >>> configures the list of trusted proxy servers." I have at least 5 IP's I >>> would need the 389 DS nodes to trust, but nsslapd-haproxy-trusted-ip does >>> not want to accept a CIDR nor does it seem to accept multiple values. It >>> also doesn't want to accept a comma delimited list of IP's. >>> >>> Does anyone know the correct syntax/setup for multiple HAProxy trusted >>> IP's? >>> Are there any further docs available? >>> >>> Thanks, >>> Trev >>> -- >>> _______________________________________________ >>> 389-users mailing list -- 389-users@lists.fedoraproject.org >>> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org >>> Do not reply to spam, report it: >>> https://pagure.io/fedora-infrastructure/new_issue >>> >>
-- _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
