Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2258594

Summary: [RFE] Add PROXY protocol support to 389-ds-base
Product: Red Hat Directory Server Reporter: thierry bordaz <tbordaz>
Component: 389-ds-baseAssignee: Simon Pichugin <spichugi>
Status: CLOSED ERRATA QA Contact: LDAP QA Team <idm-ds-qe-bugs>
Severity: high Docs Contact: Evgenia Martynyuk <emartyny>
Priority: unspecified    
Version: 12.4CC: bsmejkal, idm-ds-dev-bugs, musoni, vashirov
Target Milestone: DS12.4Keywords: FutureFeature, Triaged
Target Release: dirsrv-12.4   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: redhat-ds-12-9040020240116164822-1674d574 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-05-07 00:15:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description thierry bordaz 2024-01-16 12:50:44 UTC
Description of problem:
This RFE is a RHDS clone of RHEL bug 1382123


Please add support to 389-base for the PROXY protocol for ACI evaluation and also for logging client queries. The proxy protocol is described here:

http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt

Background:
As a network engineer, I can say that having a load balancer in path in your network is a bad idea. It is bad because it becomes part of the network and it becomes the weakest link. It limits the capacity of the network and becomes additional points of failure in the network. The ideal place for a load balancer is on the side, with the client traffic being network address translated to address ranges from SNAT pools, where the server recieving the traffic never directly sees the IP address of the client.

Loadbalancing out of path traffic to a group of ldap servers presents a semi-unique problem when ACIs must be evaluated against client IP address and also for client logging. The PROXY protocol provides provides this information to the backend servers via an additional TCP header so that the ACIs can be correctly evaluated and client traffic can be logged.

A great example of non-http software that is capable of using the additional tcp header is the Postfix MTA. There is an announcement here:

http://permalink.gmane.org/gmane.comp.web.haproxy/8881


Version-Release number of selected component (if applicable):
N/A (RFE)

Comment 4 Viktor Ashirov 2024-03-13 09:27:46 UTC
We need to add this https://github.com/389ds/389-ds-base/pull/6107 to the build.

Comment 7 errata-xmlrpc 2024-05-07 00:15:32 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (redhat-ds:12 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2024:2718