On 11/19/20 2:49 AM, Paul B. Henson wrote: > Amazon's solution for that is to support HAProxy's proxy protocol in > their load balancer: > > https://www.haproxy.com/blog/haproxy/proxy-protocol/ > > Basically, this is an in band signaling mechanism that inserts an > additional header in the initial connection data containing the original > client IP address/source port and destination IP address/source port,
AFAICS this only works with HTTP and SMTP. > openLDAP does not support the protocol, and I was unable to find any > past discussion of it. LDAP uses BER-encoded ASN.1, not ASCII. The LDAP session tracking extended control [1] can be used to pass the client's IP address of a proxied connection to the LDAP server. Currently slapd only logs the content of this control. But it would have to be implemented in the proxy, here the AWS load-balancer. *And* slapd's ACLs would have to be extended to evaluate this. Would be a nice feature for lloadd [2]. [1] https://tools.ietf.org/html/draft-wahl-ldap-session-03 [2] https://bugs.openldap.org/show_bug.cgi?id=8747 Ciao, Michael.