A simple guide for HAProxy with LDAP configuration for testing purposes. If used in production, make sure to use valid certificates (as opposed to self-signed used in the guide).
This guide covers LDAP/LDAPS configuration only. GSSAPI/EXTERNAL and LDAP with StartTLS may be covered later in a separate document.
We will need to create three Fedora (i.e. F38) virtual machines for our setup. You can use another distribution, but carefully check the HAProxy configuration to see if it supports all of the mentioned features.
Configure the hostnames and
/etc/hosts file as needed on all these machines so they are discoverable between each other.
On the HAProxy server machine, perform the following steps:
dnf install haproxy
/etc/haproxy/haproxy.conf file with the following:
log 127.0.0.1 local2
stats socket /var/lib/haproxy/stats
timeout connect 5s
timeout client 1m
timeout server 1m
bind *:636 ssl crt /etc/haproxy/haproxy.pem
server ldap1 server.example.com:636 send-proxy-v2 ssl verify required ca-file /etc/pki/tls/certs/server-cert-ca.pem
You can replace the last part with this code if you want to use non-secure port, but it’s not recommended. Always consider the security.
server ldap1 server.example.com:389 send-proxy-v2
For human-readable proxy headers (version 1), use
send-proxy instead of
haproxy.pem certificate using the following steps:
a. Generate the private key for the self-signed CA:
openssl genpkey -algorithm RSA -out ca.key -pkeyopt rsa_keygen_bits:2048
This creates a 2048 bit RSA private key for the self-signed CA.
b. Generate the self-signed CA certificate:
openssl req -new -x509 -key ca.key -out ca.crt -days 365
You will be prompted for various details to include in the certificate, such as the common name (CN), organization name, and location.
c. Generate a private key for the server:
openssl genpkey -algorithm RSA -out server.key -pkeyopt rsa_keygen_bits:2048
d. Generate a certificate signing request (CSR) for the new server key:
openssl req -new -key server.key -out server.csr
You will be prompted for various details to include in the request. The common name should match the name that clients will use to connect to your server (i.e., haproxy.example.com)
e. Sign the CSR with the self-signed CA:
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365
This signs the CSR using the self-signed CA’s private key and certificate, producing a signed certificate.
f. Finally, create
cat server.key server.crt > haproxy.pem
cat server.key ca.crt server.crt > haproxy_client.pem
It is done this way because the client needs to verify the full certificate chain.
On the Client machine, perform the following steps:
haproxy_client.pem certificate to the client machine to
/etc/openldap/ldap.conf file to include this line:
On the Server machine, perform the following steps:
Create an instance with the hostname set to
server.example.com (you can set it in INF file created by dscreate create-template).
Export the CA certificate in
.pem format and copy it to the HAProxy machine at
/etc/pki/tls/certs/server-cert-ca.pem. It can be done through the Cockpit Web UI.
nsslapd-haproxy-trusted-ip to the HAProxy IP address.
Back on the HAProxy machine, perform the following steps:
setenforce 0 to disable SELinux for testing purposes only:
systemctl start haproxy
You can now test the setup by running the following command on your client machine:
ldapsearch -H ldaps://haproxy.example.com:636 -D "cn=directory manager" -W -s base -b ""
This should connect to the 389 DS server and the server should log the correct client IP address.
And if you used non-secure port configuration, you can use the next command:
ldapsearch -H ldap://haproxy.example.com:389 -D "cn=directory manager" -W -s base -b ""