Dear all, The bind operation is quite complex in LDAP: http://tools.ietf.org/html/rfc4511#section-4.2
It could be simple (anonymous or name/password authentication) or SASL. I only implemented anonymous bind because it is very simple and using other authentication send data must be encoded in ASN.1 syntax ( http://en.wikipedia.org/wiki/Abstract_Syntax_Notation_One). I suggest 2 solutions for the problem: 1. modifying LDAP server ACLs to allow bind for anonymous (eg. openldap: http://www.openldap.org/doc/admin24/access-control.html) 2. changing the HAproxy code to accept resultCode 49: invalidCredentials ( http://tools.ietf.org/html/rfc4513#section-5.1.3) Regards, Gabor On Thu, Jun 16, 2011 at 9:19 PM, Willy Tarreau <[email protected]> wrote: > Hi, > > On Thu, Jun 16, 2011 at 02:48:02PM -0400, Walck, Christopher wrote: > > Hi all, > > > > Does anyone know where ' ldap-check' derives the bind DN? > > > > Looking at a packet capture, I see the check is sending the bind DN of > "<ROOT>". I believe this is the reason that the check is failing for me. > > The request is hard-coded in include/common/defaults.h : > > #define DEF_LDAP_CHECK_REQ > "\x30\x0c\x02\x01\x01\x60\x07\x02\x01\x03\x04\x00\x80\x00" > > As I'm not a native LDAP speaker, I can't tell you what it does exactly, > however the commit says this : > > commit b76b44c6fed8a7ba6f0f565dd72a9cb77aaeca7c > Author: Gabor Lekeny <[email protected]> > Date: Wed Sep 29 18:17:05 2010 +0200 > > [MINOR] checks: add support for LDAPv3 health checks > > This patch provides a new "option ldap-check" statement to enable > server health checks based on LDAPv3 bind requests. > > and the doc says this : > > It is possible to test that the server correctly talks LDAPv3 instead of > just > testing that it accepts the TCP connection. When this option is set, an > LDAPv3 anonymous simple bind message is sent to the server, and the > response > is analyzed to find an LDAPv3 bind response message. > > The server is considered valid only when the LDAP response contains > success > resultCode (http://tools.ietf.org/html/rfc4511#section-4.1.9). > > So I think the DN is not mandatory for an anonymous bind request. If you > manage to make the check work by slightly modifying it, it might be worth > adding a configurable parameter. > > Alternatively, maybe the response you get from the server could be > indicative > of a working LDAP service which simply refuses the bind request, so we > could > also relax the response check. > > I'm CCing Gabor who authored the patch, maybe he has more insightful ideas > on the subject. > > Regards, > Willy > >
