Hi there!
I needed to access an LDAP user base running inside an NS8 node from the outside.
After discussing with @davidep, we realized that we already have a powerful L4 proxy available outside the NS8 node - traefik - and thought it could help us tackle this challenge.
Good news: traefik can handle L4 connections!
I gave it a try, and it worked!
Here’s what I did:
-
From a shell on the NS8 node, I ran:
ss -tulpn | grep slapdthe output showed:
tcp LISTEN 0 2048 10.5.4.1:20001 0.0.0.0:* users:(("slapd",pid=35866,fd=7)) tcp LISTEN 0 2048 127.0.0.1:20001 0.0.0.0:* users:(("slapd",pid=35866,fd=8))so, LDAP was listening on port
20001. -
I needed to set up a new entry point.
I accessed thetraefikinstance with:runagent -m traefik1then I edited the
traefik.ymlfile:vi traefik.ymlI added a new entry point called
ldap, using a non-standard port (10389). The updatedentryPointssection looked like this:entryPoints: http: address: ":80" https: address: ":443" ldap: address: ":10389"After saving the file, I restarted the
traefikcontainer to apply the changes:systemctl --user restart traefik -
Next, I created a new config file:
vi configs/ldap-service.ymlhere’s the content I added:
tcp: routers: ldap: entryPoints: - ldap rule: HostSNI(`*`) service: ldap-service services: ldap-service: loadBalancer: servers: - address: "10.5.4.1:20001"NOTE: I used the WireGuard IP of the NS8 node and the port
20001, previously discovered with thesscommand. -
Finally, I opened port
10389on the firewall.WARNING: Since OpenLDAP on NS8 doesn’t use encryption by default, it’s strongly recommended to limit access only to trusted IPs.
Example command:
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="99.88.77.66" port port="10389" protocol="tcp" accept' firewall-cmd --reload
…Et voilà! You can now reach your remote LDAP!
Hope this helps, enjoy!