Commit c88a448c authored by Ondřej Kuzník's avatar Ondřej Kuzník Committed by Quanah Gibson-Mount
Browse files

ITS#8747 Fix lloadd builds --without-tls

parent 54a9c909
......@@ -56,6 +56,7 @@ bind_mech_external(
goto done;
}
#ifdef HAVE_TLS
ssl = ldap_pvt_tls_sb_ctx( client->c_sb );
if ( !ssl || ldap_pvt_tls_get_peer_dn( ssl, &binddn, NULL, 0 ) ) {
result = LDAP_INVALID_CREDENTIALS;
......@@ -74,6 +75,10 @@ bind_mech_external(
if ( !ber_bvstrcasecmp( &client->c_auth, &lloadd_identity ) ) {
client->c_type = LLOAD_C_PRIVILEGED;
}
#else /* ! HAVE_TLS */
result = LDAP_AUTH_METHOD_NOT_SUPPORTED;
message = "requested SASL mechanism not supported";
#endif /* ! HAVE_TLS */
done:
CONNECTION_UNLOCK(client);
......
......@@ -288,6 +288,7 @@ handle_one_request( LloadConnection *c )
return handler( c, op );
}
#ifdef HAVE_TLS
/*
* The connection has a token assigned to it when the callback is set up.
*/
......@@ -385,6 +386,7 @@ fail:
CONNECTION_LOCK_DESTROY(c);
epoch_leave( epoch );
}
#endif /* HAVE_TLS */
LloadConnection *
client_init(
......@@ -413,6 +415,7 @@ client_init(
c->c_state = LLOAD_C_READY;
if ( flags & CONN_IS_TLS ) {
#ifdef HAVE_TLS
int rc;
c->c_is_tls = LLOAD_LDAPS;
......@@ -430,6 +433,9 @@ client_init(
c->c_read_timeout = lload_timeout_net;
read_cb = write_cb = client_tls_handshake_cb;
}
#else /* ! HAVE_TLS */
assert(0);
#endif /* ! HAVE_TLS */
}
event = event_new( base, s, EV_READ|EV_PERSIST, read_cb, c );
......
......@@ -3671,6 +3671,19 @@ backend_cf_gen( ConfigArgs *c )
"invalid starttls configuration" );
goto fail;
}
#ifndef HAVE_TLS
if ( tlskey[i].mask == LLOAD_STARTTLS_OPTIONAL ) {
Debug( LDAP_DEBUG_ANY, "%s: "
"lloadd compiled without TLS but starttls specified, "
"it will be ignored\n",
c->log );
} else if ( tlskey[i].mask != LLOAD_CLEARTEXT ) {
snprintf( c->cr_msg, sizeof(c->cr_msg),
"invalid starttls configuration when compiled without "
"TLS support" );
goto fail;
}
#endif /* ! HAVE_TLS */
b->b_tls_conf = tlskey[i].mask;
} break;
default:
......
......@@ -1410,6 +1410,7 @@ backend_conn_cb( ldap_pvt_thread_start_t *start, void *startarg, void *arg )
return 0;
}
#ifdef HAVE_TLS
int
client_tls_cb( ldap_pvt_thread_start_t *start, void *startarg, void *arg )
{
......@@ -1422,6 +1423,7 @@ client_tls_cb( ldap_pvt_thread_start_t *start, void *startarg, void *arg )
}
return 0;
}
#endif /* HAVE_TLS */
void
lload_handle_backend_invalidation( LloadChange *change )
......@@ -1648,6 +1650,7 @@ lload_handle_global_invalidation( LloadChange *change )
assert( !feature_diff );
}
#ifdef HAVE_TLS
if ( change->flags.daemon & LLOAD_DAEMON_MOD_TLS ) {
/* terminate all clients with TLS set up */
ldap_pvt_thread_pool_walk(
......@@ -1670,6 +1673,7 @@ lload_handle_global_invalidation( LloadChange *change )
}
}
}
#endif /* HAVE_TLS */
if ( change->flags.daemon & LLOAD_DAEMON_MOD_BINDCONF ) {
LloadBackend *b;
......
......@@ -22,11 +22,13 @@
Avlnode *lload_exop_handlers = NULL;
#ifdef HAVE_TLS
void *lload_tls_ctx;
LDAP *lload_tls_ld, *lload_tls_backend_ld;
#ifdef BALANCER_MODULE
int lload_use_slap_tls_ctx = 0;
#endif
#endif /* HAVE_TLS */
int
handle_starttls( LloadConnection *c, LloadOperation *op )
......@@ -42,6 +44,7 @@ handle_starttls( LloadConnection *c, LloadOperation *op )
assert( op == found );
c->c_n_ops_executing--;
#ifdef HAVE_TLS
if ( c->c_is_tls == LLOAD_TLS_ESTABLISHED ) {
rc = LDAP_OPERATIONS_ERROR;
msg = "TLS layer already in effect";
......@@ -55,6 +58,11 @@ handle_starttls( LloadConnection *c, LloadOperation *op )
rc = LDAP_UNAVAILABLE;
msg = "Could not initialize TLS";
}
#else /* ! HAVE_TLS */
rc = LDAP_UNAVAILABLE;
msg = "Could not initialize TLS";
#endif /* ! HAVE_TLS */
CONNECTION_UNLOCK(c);
Debug( LDAP_DEBUG_STATS, "handle_starttls: "
......@@ -67,6 +75,7 @@ handle_starttls( LloadConnection *c, LloadOperation *op )
return LDAP_SUCCESS;
}
#ifdef HAVE_TLS
event_del( c->c_read_event );
event_del( c->c_write_event );
/*
......@@ -109,6 +118,7 @@ handle_starttls( LloadConnection *c, LloadOperation *op )
operation_unlink( op );
return -1;
#endif /* HAVE_TLS */
}
int
......
......@@ -281,7 +281,9 @@ sasl_bind_step( LloadConnection *c, BerValue *scred, BerValue *ccred )
if ( !ctx ) {
const char *mech = NULL;
#ifdef HAVE_TLS
void *ssl;
#endif /* HAVE_TLS */
if ( sasl_client_new( "ldap", b->b_host, NULL, NULL, client_callbacks,
0, &ctx ) != SASL_OK ) {
......@@ -688,6 +690,7 @@ upstream_finish( LloadConnection *c )
return LDAP_SUCCESS;
}
#ifdef HAVE_TLS
static void
upstream_tls_handshake_cb( evutil_socket_t s, short what, void *arg )
{
......@@ -872,6 +875,7 @@ fail:
CONNECTION_DESTROY(c);
return -1;
}
#endif /* HAVE_TLS */
/*
* We must already hold b->b_mutex when called.
......@@ -893,7 +897,9 @@ upstream_init( ber_socket_t s, LloadBackend *b )
CONNECTION_LOCK(c);
c->c_private = b;
#ifdef HAVE_TLS
c->c_is_tls = b->b_tls;
#endif
c->c_pdu_cb = handle_one_response;
LDAP_CIRCLEQ_INSERT_HEAD( &b->b_preparing, c, c_next );
......@@ -924,10 +930,13 @@ upstream_init( ber_socket_t s, LloadBackend *b )
c->c_destroy = upstream_destroy;
c->c_unlink = upstream_unlink;
#ifdef HAVE_TLS
if ( c->c_is_tls == LLOAD_CLEARTEXT ) {
#endif /* HAVE_TLS */
if ( upstream_finish( c ) ) {
goto fail;
}
#ifdef HAVE_TLS
} else if ( c->c_is_tls == LLOAD_LDAPS ) {
event_assign( c->c_read_event, base, s, EV_READ|EV_PERSIST,
upstream_tls_handshake_cb, c );
......@@ -958,6 +967,7 @@ upstream_init( ber_socket_t s, LloadBackend *b )
event_add( c->c_read_event, c->c_read_timeout );
}
}
#endif /* HAVE_TLS */
CONNECTION_UNLOCK(c);
return c;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment