Hi Thierry, On Fri, Nov 3, 2017 at 8:16 AM, Thierry Fournier <tfourn...@arpalert.org> wrote:
> > > On 2 Nov 2017, at 21:56, my.card....@web.de wrote: > > > > Hi all, > > > > the attached patch implements authentication against an LDAP Directory > Server. It has been tested on Ubuntu 16.04 (x86_64) using libldap-2.4-2 on > the client side and 389-ds-base 1.3.4.9-1 on the server side. Add > USE_LDAP=1 to your make command line to compile it in. > > > > What do I have to to, to get this functionality integrated within the > next offcial haproxy release? > > > > I'm currently trying to figure out, how to pass commas ',' and bracket > '(', ')' as arguments to http_auth_ldap. Do you have any hints for me on > this topic? > > > > Feedback is very welcome! > > > Hi, thanks for your patch. > > I already tried to add ldap authent in haproxy, but unfortunately the > OpenLDAP library is only available in blocking mode. Unfortunately (again) > OpenLDAP seems to be the only one lib LDAP available. So during the > processing of the sample fetch “http_auth_ldap”, the following functions > perform some network request and block HAProxy. > > * ldap_initialize (maybe) > * ldap_simple_bind_s > * ldap_search_ext_s > > HAProxy is blocked waiting for LDAP response, so during this time HAProxy > no longer process more HTTP requests. This behavior is not acceptable under > heavy load. > How about cases that have light load :-). I've been asking/waiting for this feature for a long time and think it is (going to be ) a very valuable addition to haproxy. Anyway, if you had experienced some issues with the lib I wonder what is the way Apache and Nginx are doing it without any performance impact? (or so we think?) Maybe I would argue that as a feature it should be included in haproxy anyway and be left to the users to opt for using it or not, with heavy warning about possible performance impact. > Two way for performing LDAP authent: > > * easy: look for SPOE protocol. You just write a mulithread server which > listent HAProxy for SPOE, perform LDAP request and return response. You > will fond an example of a SPOE server in the contrib directory. I gueess > that an SPOE contrib for LDAP authent will be welcome. > > * difficult: make you own LDAP payload (very hard with v3 and crypto) and > write a code for using socket like SPOE or Lua cosoket > > Best regards, > Thierry > > > > > > Kind regards, > > > > Danny > > <0001-Simple-LDAP-authentication.patch> > > > Cheers, Igor