Commit 25a4d684 authored by Ondřej Kuzník's avatar Ondřej Kuzník
Browse files

Permit lloadd to share slapd TLS context

parent ef0028e5
......@@ -70,9 +70,11 @@ interpretation wins and the
option mentioned is unavailable through
.BR slapd.conf (5)
directly, instead, it would have to be configured via a dedicated attribute in
cn=config. In particular,
cn=config. In particular, unless the
.B TLSShareSlapdCTX
option is set,
.B lloadd
keeps its own TLS context and serving TLS to clients is not available except
keeps its own TLS context which cannot be configured except
through the dynamic configuration.
An additional option is available when running as a
......@@ -337,9 +339,32 @@ The default is 10000.
If
.B lloadd
is built with support for Transport Layer Security, there are more options
you can specify. None of these are available when compiled as a
you can specify.
.TP
.B TLSShareSlapdCTX { on | off }
If set to no (the default),
.B lloadd
will use its own TLS context (needs to be configured via
.B cn=config
unless
.B lloadd
is run as a standalone daemon). If enabled, the options for
.B slapd
apply instead, since the
.BR slapd 's
TLS context is used then.
.LP
The following options are available only when compiled as a standalone daemon.
When compiled as a
.BR slapd (8)
module except through cn=config.
module, the cn=config equivalents need to be used if a separate TLS context for
the module is needed, otherwise use the
.B TLSShareSlapdCTX
option.
.TP
.B TLSCipherSuite <cipher-suite-spec>
Permits configuring what ciphers will be accepted and the preference order.
......
......@@ -294,7 +294,7 @@ client_tls_handshake_cb( evutil_socket_t s, short what, void *arg )
}
ldap_pvt_thread_mutex_unlock( &c->c_io_mutex );
rc = ldap_pvt_tls_accept( c->c_sb, lload_tls_ctx );
rc = ldap_pvt_tls_accept( c->c_sb, LLOAD_TLS_CTX );
if ( rc < 0 ) {
goto fail;
}
......@@ -374,7 +374,7 @@ client_init(
c->c_is_tls = LLOAD_LDAPS;
rc = ldap_pvt_tls_accept( c->c_sb, lload_tls_ctx );
rc = ldap_pvt_tls_accept( c->c_sb, LLOAD_TLS_CTX );
if ( rc < 0 ) {
Debug( LDAP_DEBUG_CONNS, "client_init: "
"connid=%lu failed initial TLS accept rc=%d\n",
......
......@@ -126,6 +126,7 @@ static ConfigDriver config_tls_option;
static ConfigDriver config_tls_config;
#endif
#ifdef BALANCER_MODULE
static ConfigDriver config_share_tls_ctx;
static ConfigDriver backend_cf_gen;
#endif /* BALANCER_MODULE */
......@@ -153,6 +154,7 @@ enum {
CFG_TLS_VERIFY,
CFG_TLS_CRLCHECK,
CFG_TLS_CRL_FILE,
CFG_TLS_SHARE_CTX,
CFG_CONCUR,
CFG_THREADS,
CFG_LOGFILE,
......@@ -587,6 +589,22 @@ static ConfigTable config_back_cf_table[] = {
"SINGLE-VALUE )",
NULL, NULL
},
{ "TLSShareSlapdCTX", NULL, 2, 2, 0,
#if defined(HAVE_TLS) && defined(BALANCER_MODULE)
CFG_TLS_SHARE_CTX|ARG_ON_OFF|ARG_MAGIC,
&config_share_tls_ctx,
#else
ARG_IGNORED,
NULL,
#endif
"( OLcfgBkAt:13.33 "
"NAME 'olcBkLloadTLSShareSlapdCTX' "
"DESC 'Share slapd TLS context (all other lloadd TLS options cease to take effect)' "
"EQUALITY booleanMatch "
"SYNTAX OMsBoolean "
"SINGLE-VALUE )",
NULL, NULL
},
{ "iotimeout", "ms timeout", 2, 2, 0,
ARG_UINT|ARG_MAGIC|CFG_IOTIMEOUT,
&config_generic,
......@@ -716,6 +734,7 @@ static ConfigOCs lloadocs[] = {
"$ olcBkLloadTLSECName "
"$ olcBkLloadTLSProtocolMin "
"$ olcBkLloadTLSCRLFile "
"$ olcBkLloadTLSShareSlapdCTX "
") )",
Cft_Backend, config_back_cf_table,
NULL,
......@@ -2008,6 +2027,31 @@ config_tls_config( ConfigArgs *c )
}
#endif
#ifdef BALANCER_MODULE
static int
config_share_tls_ctx( ConfigArgs *c )
{
int rc = LDAP_SUCCESS;
if ( c->op == SLAP_CONFIG_EMIT ) {
c->value_int = lload_use_slap_tls_ctx;
return rc;
}
lload_change.type = LLOAD_CHANGE_MODIFY;
lload_change.object = LLOAD_DAEMON;
lload_change.flags.daemon |= LLOAD_DAEMON_MOD_TLS;
if ( c->op == LDAP_MOD_DELETE ) {
lload_use_slap_tls_ctx = 0;
return rc;
}
lload_use_slap_tls_ctx = c->value_int;
return rc;
}
#endif /* BALANCER_MODULE */
void
lload_init_config_argv( ConfigArgs *c )
{
......
......@@ -24,6 +24,9 @@ Avlnode *lload_exop_handlers = NULL;
void *lload_tls_ctx;
LDAP *lload_tls_ld, *lload_tls_backend_ld;
#ifdef BALANCER_MODULE
int lload_use_slap_tls_ctx = 0;
#endif
int
handle_starttls( LloadConnection *c, LloadOperation *op )
......@@ -44,7 +47,7 @@ handle_starttls( LloadConnection *c, LloadOperation *op )
} else if ( c->c_ops ) {
rc = LDAP_OPERATIONS_ERROR;
msg = "cannot start TLS when operations are outstanding";
} else if ( !lload_tls_ctx ) {
} else if ( !LLOAD_TLS_CTX ) {
rc = LDAP_UNAVAILABLE;
msg = "Could not initialize TLS";
}
......
......@@ -154,6 +154,12 @@ typedef enum {
LLOAD_FEATURE_PROXYAUTHZ = 1 << 1,
} lload_features_t;
#ifdef BALANCER_MODULE
#define LLOAD_TLS_CTX ( lload_use_slap_tls_ctx ? slap_tls_ctx : lload_tls_ctx )
#else
#define LLOAD_TLS_CTX ( lload_tls_ctx )
#endif
enum lload_tls_type {
LLOAD_CLEARTEXT = 0,
LLOAD_LDAPS,
......
......@@ -128,6 +128,9 @@ LDAP_SLAPD_V (struct event *) lload_timeout_event;
LDAP_SLAPD_V (LDAP *) lload_tls_backend_ld;
LDAP_SLAPD_V (LDAP *) lload_tls_ld;
LDAP_SLAPD_V (void *) lload_tls_ctx;
#ifdef BALANCER_MODULE
LDAP_SLAPD_V (int) lload_use_slap_tls_ctx;
#endif /* BALANCER_MODULE */
/*
* extended.c
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment