Add PROXY-protocol listener support to slapd

dabelenda · dabelenda · commit 2756857c3864 · 2025-11-28T13:41:35.000+01:00
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -453,6 +453,8 @@ The following parameters are available in the `openldap::server` class:
 
 * [`krb5_keytab_file`](#-openldap--server--krb5_keytab_file)
 * [`krb5_client_keytab_file`](#-openldap--server--krb5_client_keytab_file)
+* [`pldap_ifs`](#-openldap--server--pldap_ifs)
+* [`pldaps_ifs`](#-openldap--server--pldaps_ifs)
 * [`package`](#-openldap--server--package)
 * [`confdir`](#-openldap--server--confdir)
 * [`conffile`](#-openldap--server--conffile)
@@ -502,6 +504,26 @@ configuring sasl with backend GSSAPI
 
 Default value: `undef`
 
+##### <a name="-openldap--server--pldap_ifs"></a>`pldap_ifs`
+
+Data type: `Array[String[1]]`
+
+Allows to configure the HAProxy PROXY protol handling of openldap.
+This allows to get IPs of clients through a load-balancer for logging or filtering.
+Must not use the same ports as the native listeners.
+
+Default value: `[]`
+
+##### <a name="-openldap--server--pldaps_ifs"></a>`pldaps_ifs`
+
+Data type: `Array[String[1]]`
+
+Allows to configure the HAProxy PROXY protol handling of openldap.
+This allows to get IPs of clients through a load-balancer for logging or filtering.
+Must not use the same ports as the native listeners.
+
+Default value: `[]`
+
 ##### <a name="-openldap--server--package"></a>`package`
 
 Data type: `String[1]`
diff --git a/manifests/server.pp b/manifests/server.pp
@@ -5,6 +5,14 @@
 # @param krb5_client_keytab_file
 #   if set, manage the env variable KRB5_CLIENT_KTNAME on Debian based operating systems. This is required when
 #   configuring sasl with backend GSSAPI
+# @param pldap_ifs
+#   Allows to configure the HAProxy PROXY protol handling of openldap.
+#   This allows to get IPs of clients through a load-balancer for logging or filtering.
+#   Must not use the same ports as the native listeners.
+# @param pldaps_ifs
+#   Allows to configure the HAProxy PROXY protol handling of openldap.
+#   This allows to get IPs of clients through a load-balancer for logging or filtering.
+#   Must not use the same ports as the native listeners.
 class openldap::server (
   String[1] $package,
   String[1] $confdir,
@@ -27,6 +35,8 @@
   Hash $databases                                   = {},
   Array[String[1]] $ldap_ifs                        = ['/'],
   Array[String[1]] $ldaps_ifs                       = [],
+  Array[String[1]] $pldaps_ifs                      = [],
+  Array[String[1]] $pldap_ifs                       = [],
   Optional[String] $slapd_params                    = undef,
   Optional[Stdlib::Port] $ldap_port                 = undef,
   Optional[Stdlib::IP::Address] $ldap_address       = undef,
diff --git a/manifests/server/config.pp b/manifests/server/config.pp
@@ -17,6 +17,10 @@
   $ldap_config_backend = $openldap::server::ldap_config_backend
   $enable_memory_limit = $openldap::server::enable_memory_limit
 
+  $slapd_pldap_ifs = empty($openldap::server::pldap_ifs) ? {
+    false => join(prefix($openldap::server::pldap_ifs, 'pldap://'), ' '),
+    true  => '',
+  }
   $slapd_ldap_ifs = empty($openldap::server::ldap_ifs) ? {
     false => join(prefix($openldap::server::ldap_ifs, 'ldap://'), ' '),
     true  => '',
@@ -29,11 +33,15 @@
     false => join(prefix($escaped_ldapi_ifs, 'ldapi://'), ' '),
     true  => '',
   }
+  $slapd_pldaps_ifs = empty($openldap::server::pldaps_ifs) ? {
+    false => join(prefix($openldap::server::pldaps_ifs, 'pldaps://'), ' '),
+    true  => '',
+  }
   $slapd_ldaps_ifs = empty($openldap::server::ldaps_ifs) ? {
     false  => join(prefix($openldap::server::ldaps_ifs, 'ldaps://'), ' '),
     true => '',
   }
-  $slapd_ldap_urls = "${slapd_ldap_ifs} ${slapd_ldapi_ifs} ${slapd_ldaps_ifs}"
+  $slapd_ldap_urls = "${slapd_ldap_ifs} ${slapd_pldap_ifs} ${slapd_ldapi_ifs} ${slapd_ldaps_ifs} ${slapd_pldaps_ifs}"
 
   file { $openldap::server::confdir:
     ensure => directory,
diff --git a/spec/acceptance/openldap__server_spec.rb b/spec/acceptance/openldap__server_spec.rb
@@ -79,4 +79,34 @@ class { 'openldap::server':
       end
     end
   end
+
+  # if (fact('os.family') == 'Debian' && fact('os.release.major') == 11) ||
+  #                                        (fact('os.family') == 'RedHat' && fact('os.release.major') == 8)
+  skip('Does not work on openldap 2.4')
+  context 'when enabling PROXY Protocol' do
+    it 'idempotentlies run' do
+      pp = <<-EOS
+        class { 'openldap::server':
+          ldaps_ifs  => ['/'],
+          ssl_key    => "/etc/ldap/ssl/${facts['networking']['fqdn']}.key",
+          ssl_cert   => "/etc/ldap/ssl/${facts['networking']['fqdn']}.crt",
+          ssl_ca     => '/etc/ldap/ssl/ca.pem',
+          pldaps_ifs => ['[::]:3269/'],
+          pldap_ifs  => ['[::]:7389/'],
+        }
+      EOS
+
+      idempotent_apply(pp)
+    end
+
+    # rubocop:disable RSpec/RepeatedExampleGroupBody
+    describe port(7389) do
+      it { is_expected.to be_listening }
+    end
+
+    describe port(3269) do
+      it { is_expected.to be_listening }
+    end
+    # rubocop:enable RSpec/RepeatedExampleGroupBody
+  end
 end
