Commit 6ee21f11 authored by Ondřej Kuzník's avatar Ondřej Kuzník Committed by Ondřej Kuzník
Browse files

Split bind configuration from backends

parent 0e7792e8
......@@ -39,7 +39,7 @@ upstream_name_cb( int result, struct evutil_addrinfo *res, void *arg )
if ( result || !res ) {
Debug( LDAP_DEBUG_ANY, "upstream_name_cb: "
"name resolution failed for backend '%s': %s\n",
b->b_bindconf.sb_uri.bv_val, evutil_gai_strerror( result ) );
b->b_uri.bv_val, evutil_gai_strerror( result ) );
goto fail;
}
......@@ -65,7 +65,7 @@ upstream_name_cb( int result, struct evutil_addrinfo *res, void *arg )
if ( rc && errno != EINPROGRESS && errno != EWOULDBLOCK ) {
Debug( LDAP_DEBUG_ANY, "upstream_name_cb: "
"failed to connect to server '%s'\n",
b->b_bindconf.sb_uri.bv_val );
b->b_uri.bv_val );
goto fail;
}
......@@ -115,7 +115,7 @@ backend_select( Operation *op )
if ( b->b_max_pending && b->b_n_ops_executing >= b->b_max_pending ) {
Debug( LDAP_DEBUG_CONNS, "backend_select: "
"backend %s too busy\n",
b->b_bindconf.sb_uri.bv_val );
b->b_uri.bv_val );
ldap_pvt_thread_mutex_unlock( &b->b_mutex );
b = next;
continue;
......@@ -316,7 +316,7 @@ backends_destroy( void )
Debug( LDAP_DEBUG_CONNS, "backends_destroy: "
"destroying backend uri='%s', numconns=%d, numbindconns=%d\n",
b->b_bindconf.sb_uri.bv_val, b->b_numconns, b->b_numbindconns );
b->b_uri.bv_val, b->b_numconns, b->b_numbindconns );
while ( !LDAP_CIRCLEQ_EMPTY( &b->b_bindconns ) ) {
Connection *c = LDAP_CIRCLEQ_FIRST( &b->b_bindconns );
......@@ -349,27 +349,7 @@ backends_destroy( void )
event_free( b->b_retry_event );
ch_free( b->b_host );
ch_free( b->b_bindconf.sb_uri.bv_val );
ch_free( b->b_bindconf.sb_binddn.bv_val );
ch_free( b->b_bindconf.sb_cred.bv_val );
ch_free( b->b_bindconf.sb_saslmech.bv_val );
ch_free( b->b_bindconf.sb_secprops );
ch_free( b->b_bindconf.sb_realm.bv_val );
ch_free( b->b_bindconf.sb_authcId.bv_val );
ch_free( b->b_bindconf.sb_authzId.bv_val );
#ifdef HAVE_TLS
ch_free( b->b_bindconf.sb_tls_cert );
ch_free( b->b_bindconf.sb_tls_key );
ch_free( b->b_bindconf.sb_tls_cacert );
ch_free( b->b_bindconf.sb_tls_cacertdir );
ch_free( b->b_bindconf.sb_tls_reqcert );
ch_free( b->b_bindconf.sb_tls_cipher_suite );
ch_free( b->b_bindconf.sb_tls_protocol_min );
#ifdef HAVE_OPENSSL_CRL
ch_free( b->b_bindconf.sb_tls_crlcheck );
#endif
#endif
ch_free( b->b_uri.bv_val );
ch_free( b );
}
}
......@@ -100,6 +100,7 @@ static ConfigFile *cfn;
static ConfigDriver config_fname;
static ConfigDriver config_generic;
static ConfigDriver config_backend;
static ConfigDriver config_bindconf;
#ifdef LDAP_TCP_BUFFER
static ConfigDriver config_tcp_buffer;
#endif /* LDAP_TCP_BUFFER */
......@@ -116,10 +117,12 @@ slap_b_head backend = LDAP_CIRCLEQ_HEAD_INITIALIZER(backend);
ldap_pvt_thread_mutex_t backend_mutex;
Backend *current_backend = NULL;
struct slap_bindconf bindconf = {};
enum {
CFG_ACL = 1,
CFG_BACKEND,
CFG_DATABASE,
CFG_BINDCONF,
CFG_TLS_RAND,
CFG_TLS_CIPHER,
CFG_TLS_PROTOCOL_MIN,
......@@ -162,10 +165,14 @@ static ConfigTable config_back_cf_table[] = {
ARG_INT|ARG_MAGIC|CFG_CONCUR,
&config_generic,
},
{ "backend", "type", 2, 0, 0,
ARG_MAGIC|CFG_DATABASE,
{ "backend", "backend options", 2, 0, 0,
ARG_MAGIC|CFG_BACKEND,
&config_backend,
},
{ "bindconf", "backend credentials", 2, 0, 0,
ARG_MAGIC|CFG_BINDCONF,
&config_bindconf,
},
{ "gentlehup", "on|off", 2, 2, 0,
#ifdef SIGHUP
ARG_ON_OFF,
......@@ -471,31 +478,14 @@ config_backend( ConfigArgs *c )
b->b_numbindconns = 1;
for ( i = 1; i < c->argc; i++ ) {
if ( bindconf_parse( c->argv[i], b ) ) {
if ( backend_parse( c->argv[i], b ) ) {
Debug( LDAP_DEBUG_ANY, "config_backend: "
"error parsing backend configuration item '%s'\n",
c->argv[i] );
rc = -1;
goto done;
return -1;
}
}
bindconf_tls_defaults( &b->b_bindconf );
if ( b->b_bindconf.sb_method == LDAP_AUTH_SASL ) {
#ifndef HAVE_CYRUS_SASL
Debug( LDAP_DEBUG_ANY, "config_backend: "
"no sasl support available\n" );
rc = -1;
goto done;
#else /* HAVE_CYRUS_SASL */
Debug( LDAP_DEBUG_ANY, "config_backend: "
"no sasl support yet\n" );
rc = -1;
goto done;
#endif
}
if ( b->b_numconns <= 0 ) {
Debug( LDAP_DEBUG_ANY, "config_backend: "
"invalid connection pool configuration\n" );
......@@ -519,18 +509,18 @@ config_backend( ConfigArgs *c )
b->b_retry_tv.tv_sec = b->b_retry_timeout / 1000;
b->b_retry_tv.tv_usec = ( b->b_retry_timeout % 1000 ) * 1000;
if ( BER_BVISNULL( &b->b_bindconf.sb_uri ) ) {
if ( BER_BVISNULL( &b->b_uri ) ) {
Debug( LDAP_DEBUG_ANY, "config_backend: "
"backend address not specified\n" );
rc = -1;
goto done;
}
rc = ldap_url_parse( b->b_bindconf.sb_uri.bv_val, &lud );
rc = ldap_url_parse( b->b_uri.bv_val, &lud );
if ( rc != LDAP_URL_SUCCESS ) {
Debug( LDAP_DEBUG_ANY, "config_backend: "
"listen URL \"%s\" parse error=%d\n",
b->b_bindconf.sb_uri.bv_val, rc );
b->b_uri.bv_val, rc );
rc = -1;
goto done;
}
......@@ -539,7 +529,7 @@ config_backend( ConfigArgs *c )
if ( ldap_pvt_url_scheme2tls( lud->lud_scheme ) ) {
Debug( LDAP_DEBUG_ANY, "config_backend: "
"TLS not supported (%s)\n",
b->b_bindconf.sb_uri.bv_val );
b->b_uri.bv_val );
rc = -1;
goto done;
}
......@@ -581,7 +571,7 @@ config_backend( ConfigArgs *c )
if ( lud->lud_host == NULL || lud->lud_host[0] == '\0' ) {
Debug( LDAP_DEBUG_ANY, "config_backend: "
"backend url missing hostname: '%s'\n",
b->b_bindconf.sb_uri.bv_val );
b->b_uri.bv_val );
rc = -1;
goto done;
}
......@@ -603,6 +593,37 @@ done:
return rc;
}
static int
config_bindconf( ConfigArgs *c )
{
int i;
for ( i = 1; i < c->argc; i++ ) {
if ( bindconf_parse( c->argv[i], &bindconf ) ) {
Debug( LDAP_DEBUG_ANY, "config_bindconf: "
"error parsing backend configuration item '%s'\n",
c->argv[i] );
return -1;
}
}
bindconf_tls_defaults( &bindconf );
if ( bindconf.sb_method == LDAP_AUTH_SASL ) {
#ifndef HAVE_CYRUS_SASL
Debug( LDAP_DEBUG_ANY, "config_bindconf: "
"no sasl support available\n" );
return -1;
#else /* HAVE_CYRUS_SASL */
Debug( LDAP_DEBUG_ANY, "config_bindconf: "
"no sasl support yet\n" );
return -1;
#endif
}
return 0;
}
static int
config_fname( ConfigArgs *c )
{
......@@ -1882,41 +1903,8 @@ slap_keepalive_parse(
return 0;
}
static int
slap_sb_uri(
struct berval *val,
void *bcp,
slap_cf_aux_table *tab0,
const char *tabmsg,
int unparse )
{
slap_bindconf *bc = bcp;
if ( unparse ) {
if ( bc->sb_uri.bv_len >= val->bv_len ) return -1;
val->bv_len = bc->sb_uri.bv_len;
AC_MEMCPY( val->bv_val, bc->sb_uri.bv_val, val->bv_len );
} else {
bc->sb_uri = *val;
#ifdef HAVE_TLS
if ( ldap_is_ldaps_url( val->bv_val ) ) bc->sb_tls_do_init = 1;
#endif
}
return 0;
}
static slap_cf_aux_table bindkey[] = {
{ BER_BVC("uri="), offsetof(Backend, b_bindconf.sb_uri), 'x', 1, slap_sb_uri },
{ BER_BVC("bindmethod="), offsetof(Backend, b_bindconf.sb_method), 'i', 0, methkey },
{ BER_BVC("timeout="), offsetof(Backend, b_bindconf.sb_timeout_api), 'i', 0, NULL },
{ BER_BVC("network-timeout="), offsetof(Backend, b_bindconf.sb_timeout_net), 'i', 0, NULL },
{ BER_BVC("binddn="), offsetof(Backend, b_bindconf.sb_binddn), 'b', 1, NULL },
{ BER_BVC("credentials="), offsetof(Backend, b_bindconf.sb_cred), 'b', 1, NULL },
{ BER_BVC("saslmech="), offsetof(Backend, b_bindconf.sb_saslmech), 'b', 0, NULL },
{ BER_BVC("secprops="), offsetof(Backend, b_bindconf.sb_secprops), 's', 0, NULL },
{ BER_BVC("realm="), offsetof(Backend, b_bindconf.sb_realm), 'b', 0, NULL },
{ BER_BVC("authcID="), offsetof(Backend, b_bindconf.sb_authcId), 'b', 1, NULL },
{ BER_BVC("authzID="), offsetof(Backend, b_bindconf.sb_authzId), 'b', 1, NULL },
{ BER_BVC("keepalive="), offsetof(Backend, b_bindconf.sb_keepalive), 'x', 0, (slap_verbmasks *)slap_keepalive_parse },
static slap_cf_aux_table backendkey[] = {
{ BER_BVC("uri="), offsetof(Backend, b_uri), 'b', 1, NULL },
{ BER_BVC("numconns="), offsetof(Backend, b_numconns), 'i', 0, NULL },
{ BER_BVC("bindconns="), offsetof(Backend, b_numbindconns), 'i', 0, NULL },
......@@ -1924,19 +1912,34 @@ static slap_cf_aux_table bindkey[] = {
{ BER_BVC("max-pending-ops="), offsetof(Backend, b_max_pending), 'i', 0, NULL },
{ BER_BVC("conn-max-pending="), offsetof(Backend, b_max_conn_pending), 'i', 0, NULL },
{ BER_BVNULL, 0, 0, 0, NULL }
};
static slap_cf_aux_table bindkey[] = {
{ BER_BVC("bindmethod="), offsetof(slap_bindconf, sb_method), 'i', 0, methkey },
{ BER_BVC("timeout="), offsetof(slap_bindconf, sb_timeout_api), 'i', 0, NULL },
{ BER_BVC("network-timeout="), offsetof(slap_bindconf, sb_timeout_net), 'i', 0, NULL },
{ BER_BVC("binddn="), offsetof(slap_bindconf, sb_binddn), 'b', 1, NULL },
{ BER_BVC("credentials="), offsetof(slap_bindconf, sb_cred), 'b', 1, NULL },
{ BER_BVC("saslmech="), offsetof(slap_bindconf, sb_saslmech), 'b', 0, NULL },
{ BER_BVC("secprops="), offsetof(slap_bindconf, sb_secprops), 's', 0, NULL },
{ BER_BVC("realm="), offsetof(slap_bindconf, sb_realm), 'b', 0, NULL },
{ BER_BVC("authcID="), offsetof(slap_bindconf, sb_authcId), 'b', 1, NULL },
{ BER_BVC("authzID="), offsetof(slap_bindconf, sb_authzId), 'b', 1, NULL },
{ BER_BVC("keepalive="), offsetof(slap_bindconf, sb_keepalive), 'x', 0, (slap_verbmasks *)slap_keepalive_parse },
#ifdef HAVE_TLS
{ BER_BVC("starttls="), offsetof(Backend, b_bindconf.sb_tls), 'i', 0, tlskey },
{ BER_BVC("tls_cert="), offsetof(Backend, b_bindconf.sb_tls_cert), 's', 1, NULL },
{ BER_BVC("tls_key="), offsetof(Backend, b_bindconf.sb_tls_key), 's', 1, NULL },
{ BER_BVC("tls_cacert="), offsetof(Backend, b_bindconf.sb_tls_cacert), 's', 1, NULL },
{ BER_BVC("tls_cacertdir="), offsetof(Backend, b_bindconf.sb_tls_cacertdir), 's', 1, NULL },
{ BER_BVC("tls_reqcert="), offsetof(Backend, b_bindconf.sb_tls_reqcert), 's', 0, NULL },
{ BER_BVC("tls_reqsan="), offsetof(Backend, b_bindconf.sb_tls_reqsan), 's', 0, NULL },
{ BER_BVC("tls_cipher_suite="), offsetof(Backend, b_bindconf.sb_tls_cipher_suite), 's', 0, NULL },
{ BER_BVC("tls_protocol_min="), offsetof(Backend, b_bindconf.sb_tls_protocol_min), 's', 0, NULL },
{ BER_BVC("tls_ecname="), offsetof(Backend, b_bindconf.sb_tls_ecname), 's', 0, NULL },
{ BER_BVC("starttls="), offsetof(slap_bindconf, sb_tls), 'i', 0, tlskey },
{ BER_BVC("tls_cert="), offsetof(slap_bindconf, sb_tls_cert), 's', 1, NULL },
{ BER_BVC("tls_key="), offsetof(slap_bindconf, sb_tls_key), 's', 1, NULL },
{ BER_BVC("tls_cacert="), offsetof(slap_bindconf, sb_tls_cacert), 's', 1, NULL },
{ BER_BVC("tls_cacertdir="), offsetof(slap_bindconf, sb_tls_cacertdir), 's', 1, NULL },
{ BER_BVC("tls_reqcert="), offsetof(slap_bindconf, sb_tls_reqcert), 's', 0, NULL },
{ BER_BVC("tls_reqsan="), offsetof(slap_bindconf, sb_tls_reqsan), 's', 0, NULL },
{ BER_BVC("tls_cipher_suite="), offsetof(slap_bindconf, sb_tls_cipher_suite), 's', 0, NULL },
{ BER_BVC("tls_protocol_min="), offsetof(slap_bindconf, sb_tls_protocol_min), 's', 0, NULL },
{ BER_BVC("tls_ecname="), offsetof(slap_bindconf, sb_tls_ecname), 's', 0, NULL },
#ifdef HAVE_OPENSSL
{ BER_BVC("tls_crlcheck="), offsetof(Backend, b_bindconf.sb_tls_crlcheck), 's', 0, NULL },
{ BER_BVC("tls_crlcheck="), offsetof(slap_bindconf, sb_tls_crlcheck), 's', 0, NULL },
#endif
#endif
{ BER_BVNULL, 0, 0, 0, NULL }
......@@ -2212,15 +2215,21 @@ slap_tls_get_config( LDAP *ld, int opt, char **val )
}
int
bindconf_parse( const char *word, Backend *b )
backend_parse( const char *word, Backend *b )
{
return slap_cf_aux_table_parse( word, b, backendkey, "backend config" );
}
int
bindconf_parse( const char *word, slap_bindconf *bc )
{
return slap_cf_aux_table_parse( word, b, bindkey, "bind config" );
return slap_cf_aux_table_parse( word, bc, bindkey, "bind config" );
}
int
bindconf_unparse( Backend *b, struct berval *bv )
bindconf_unparse( slap_bindconf *bc, struct berval *bv )
{
return slap_cf_aux_table_unparse( b, bv, bindkey );
return slap_cf_aux_table_unparse( bc, bv, bindkey );
}
void
......
......@@ -1359,6 +1359,7 @@ slapd_daemon( struct event_base *daemon_base )
ldap_pvt_thread_pool_close( &connection_pool, 1 );
backends_destroy();
clients_destroy();
bindconf_free( &bindconf );
evdns_base_free( dnsbase, 0 );
ch_free( daemon_tid );
......
......@@ -128,6 +128,7 @@ LDAP_SLAPD_V (slap_b_head) backend;
LDAP_SLAPD_V (slap_c_head) clients;
LDAP_SLAPD_V (ldap_pvt_thread_mutex_t) backend_mutex;
LDAP_SLAPD_V (Backend *) current_backend;
LDAP_SLAPD_V (struct slap_bindconf) bindconf;
LDAP_SLAPD_V (int) slapMode;
#define SLAP_UNDEFINED_MODE 0x0000
......@@ -246,9 +247,9 @@ enum lload_tls_type {
/* Can hold mutex when locking a linked connection */
struct Backend {
struct slap_bindconf b_bindconf;
ldap_pvt_thread_mutex_t b_mutex;
struct berval b_uri;
int b_proto, b_port;
enum lload_tls_type b_tls;
char *b_host;
......
......@@ -167,7 +167,7 @@ handle_vc_bind_response( Operation *op, BerElement *ber )
CONNECTION_LOCK(upstream);
b = (Backend *)upstream->c_private;
Debug( LDAP_DEBUG_ANY, "VC extended operation not supported on backend %s\n",
b->b_bindconf.sb_uri.bv_val );
b->b_uri.bv_val );
CONNECTION_UNLOCK(upstream);
}
......@@ -779,20 +779,20 @@ upstream_bind( void *ctx, void *arg )
CONNECTION_UNLOCK_INCREF(c);
ldap_pvt_thread_mutex_lock( &b->b_mutex );
if ( b->b_bindconf.sb_method == LDAP_AUTH_SIMPLE ) {
if ( bindconf.sb_method == LDAP_AUTH_SIMPLE ) {
/* simple bind */
ber_printf( ber, "{it{iOtON}}",
msgid, LDAP_REQ_BIND, LDAP_VERSION3,
&b->b_bindconf.sb_binddn, LDAP_AUTH_SIMPLE,
&b->b_bindconf.sb_cred );
&bindconf.sb_binddn, LDAP_AUTH_SIMPLE,
&bindconf.sb_cred );
#ifdef HAVE_CYRUS_SASL
} else {
BerValue cred = BER_BVNULL;
ber_printf( ber, "{it{iOt{OON}N}}",
msgid, LDAP_REQ_BIND, LDAP_VERSION3,
&b->b_bindconf.sb_binddn, LDAP_AUTH_SASL,
&b->b_bindconf.sb_saslmech, BER_BV_OPTIONAL( &cred ) );
&bindconf.sb_binddn, LDAP_AUTH_SASL,
&bindconf.sb_saslmech, BER_BV_OPTIONAL( &cred ) );
#endif /* HAVE_CYRUS_SASL */
}
ldap_pvt_thread_mutex_unlock( &b->b_mutex );
......@@ -857,7 +857,7 @@ upstream_init( ber_socket_t s, Backend *b )
}
}
if ( is_bindconn || b->b_bindconf.sb_method == LDAP_AUTH_NONE ) {
if ( is_bindconn || bindconf.sb_method == LDAP_AUTH_NONE ) {
if ( upstream_finish( c ) ) {
goto fail;
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment