Hello
Thanks so much. That worked well, I now get
*L7OK/0 in 0ms*
not sure I believe the 0ms but maybe I should
Thanks again,
Neil
On 30 March 2015 at 22:14, Baptiste <bed...@gmail.com> wrote:
> On Mon, Mar 30, 2015 at 10:33 PM, Neil - HAProxy List
> <maillist-hapr...@iamafreeman.com> wrote:
> > Hello
> >
> > I'm trying to use ldap-check with active directory and the response
> active
> > directory gives is not one ldap-check is happy to accept
> >
> > when I give a 389 directory backend ldap server all is well, when I use
> AD I
> > get 'Not LDAPv3 protocol'
> >
> > I've done a little poking about and found that
> > if ((msglen > 2) ||
> > (memcmp(check->bi->data + 2 + msglen,
> > "\x02\x01\x01\x61", 4) != 0)) {
> > set_server_check_status(check,
> > HCHK_STATUS_L7RSP, "Not LDAPv3 protocol");
> > is where I'm getting stopped as msglen is 4
> >
> > Here is tcpdump of 389 directory response (the one that works) 2 packets
> > 21:29:34.195699 IP 389.ldap > HAPROXY.57109: Flags [.], ack 15, win 905,
> > options [nop,nop,TS val 856711882 ecr 20393440], length 0
> > 0x0000: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@;'...E.
> > 0x0010: 0034 9d07 4000 3f06 3523 ac1b e955 ac18 .4..@.?.5#...U..
> > 0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8010 (.....\...c.w...
> > 0x0030: 0389 2c07 0000 0101 080a 3310 62ca 0137 ..,.......3.b..7
> > 0x0040: 2de0 -.
> > 21:29:34.195958 IP 389.ldap > HAPROXY.57109: Flags [P.], seq 1:15, ack
> 15,
> > win 905, options [nop,nop,TS val 856711882 ecr 20393440], length 14
> > 0x0000: 0050 5688 7042 0064 403b 2700 0800 4500 .PV.pB.d@;'...E.
> > 0x0010: 0042 9d08 4000 3f06 3514 ac1b e955 ac18 .B..@.?.5....U..
> > 0x0020: 2810 0185 df15 5cab ffcd 63ba 77d3 8018 (.....\...c.w...
> > 0x0030: 0389 e878 0000 0101 080a 3310 62ca 0137 ...x......3.b..7
> > 0x0040: 2de0 300c 0201 0161 070a 0100 0400 0400 -.0....a........
> >
> > Here is tcpdump of active directory (broken) 1 packet
> >
> > 21:25:24.519883 IP ADSERVER.ldap > HAPROXY.57789: Flags [P.], seq 1:23,
> ack
> > 15, win 260, options [nop,nop,TS val 1870785 ecr 20331021], length 22
> > 0x0000: 0050 5688 7042 0050 5688 7780 0800 4500 .PV.pB.PV.w...E.
> > 0x0010: 004a 1d7d 4000 8006 34e3 ac18 280d ac18 .J.}@...4...(...
> > 0x0020: 2810 0185 e1bd 5a3f 2ae7 3ced 7b5b 8018 (.....Z?*.<.{[..
> > 0x0030: 0104 1d7a 0000 0101 080a 001c 8bc1 0136 ...z...........6
> > 0x0040: 3a0d 3084 0000 0010 0201 0161 8400 0000 :.0........a....
> > 0x0050: 070a 0100 0400 0400
> >
> > this was discussed but not finished before see
> > http://www.serverphorums.com/read.php?10,394453
> >
> > I can see the string \02\01\01\61 is there but not in the correct place
> >
> > Anyone have any ideas about fixing this so that both (and possibly other)
> > ldap implementations work?
> >
> > Thanks,
> >
> > Neil
>
>
> Hi Neil
>
> Yes you can switch to the tcp-check checking method.
> I works with binary protocols as well.
> Here is what I use for the AD in my lab:
>
> option tcp-check
> tcp-check connect port 389
> tcp-check send-binary 300c0201 # LDAP bind request "<ROOT>" simple
> tcp-check send-binary 01 # message ID
> tcp-check send-binary 6007 # protocol Op
> tcp-check send-binary 0201 # bind request
> tcp-check send-binary 03 # LDAP v3
> tcp-check send-binary 04008000 # name, simple authentication
> tcp-check expect binary 0a0100 # bind response + result code: success
> tcp-check send-binary 30050201034200 # unbind request
>
>
> You could add the same sequence for LDAPs on port 636:
> tcp-check connect port 636 ssl
> tcp-check send-binary 300c0201 # LDAP bind request "<ROOT>" simple
> tcp-check send-binary 01 # message ID
> tcp-check send-binary 6007 # protocol Op
> tcp-check send-binary 0201 # bind request
> tcp-check send-binary 03 # LDAP v3
> tcp-check send-binary 04008000 # name, simple authentication
> tcp-check expect binary 0a0100 # bind response + result code: success
> tcp-check send-binary 30050201034200 # unbind request
>
>
> Note for myself: put this tip on the blog..
>
> Baptiste
>
