Add How To Test HAProxy #3
Conversation
| ## Introduction | ||
|
|
||
| A simple guide for HAProxy with LDAP configuration for testing purposes. If used in production, make sure to use valid certificates (as opposed to self-signed used in the guide). | ||
|
|
There was a problem hiding this comment.
As we may add other examples in the future,
I would add another chapter level:
Example supporting simple authentication over ldaps
Then
Step 1: Create Virtual Machines
...
I do not this it possible to perform GSSAPI or EXTERNAL (i.e certificate based) authentication over HAProxy with the current code but if someday it is possible, we want to document that in this howto.
And we may add the config on plain ldap (I wonder how the certificate validation for StartTLS would work through HAProxy - it probably does not work with current code ...)
There was a problem hiding this comment.
@vashirov may fix me, but HAProxy doesn't provide any easy and secure way for GSSAPI/EXTERNAL configuration if I understand correctly. It may forward what it gets from the client, but that's it.
And for StartTLS - the same's true.
We can have a task for future investigation, but I think we should go with SSL and recommend this to the 389 DS administrators.
There was a problem hiding this comment.
'We can have a task for future investigation, but I think we should go with SSL and recommend this to the 389 DS administrators.'
Sorry if I was not clear. I fully agree with you, my point is only to:
- structure the document in order to allow it to evolve if needed.
- Precise clearly that this document describes the use of HAProxy over ldaps.
It is an important point and it is not explicitly mentioned in the current version of the document.
FYI: About GSSAPI, I also do not think that there are any solutions, for EXTERNAL/StartTLS, IMHO there may be partial solution if NSS provides the right callbacks (but as you said, it is another story and another ticket !)
There was a problem hiding this comment.
- structure the document in order to allow it to evolve if needed.
- Precise clearly that this document describes the use of HAProxy over ldaps.
It is an important point and it is not explicitly mentioned in the current version of the document.
Got it and fully agree! I'll restructure the doc accordingly...
droideck
force-pushed
the
haproxy_testing_guide
branch
from
a2d8a0f
to
0b1b1ae
Compare
|
Okay, I clarified that the document is about LDAP/LDAPS and that a separate document will be created for GSSAPI/EXTERNAL and StartTLS (if it'll ever happens).
I've tried to imagine how to restructure this document, but too many steps will be different if we include GSSAPI/EXTERNAL (starting from Step 2 and nearly to the final step). So I think it'll be better to create another doc and cross-link them between each other. |
No description provided.