Commit 7b413f9e authored by Ondřej Kuzník's avatar Ondřej Kuzník Committed by Ondřej Kuzník
Browse files

Update docs and defaults

parent 70464443
......@@ -289,7 +289,7 @@ a task is queued to be picked up by the thread pool. This task will
process PDUs from the connection until there is no more data to be
read or this limit is reached when the I/O thread can pick it up again.
Very high values have a potential to cause some connections to be
starved in a very high-bandwidth environment.
starved in a very high-bandwidth environment. The default is 1000.
.SH TLS OPTIONS
If
......@@ -500,7 +500,7 @@ Specifies a file containing a Certificate Revocation List to be used
for verifying that certificates have not been revoked. This directive is
only valid when using GnuTLS and Mozilla NSS.
.SH BACKEND OPTIONS
.SH BACKEND CONFIGURATION
Options in this section describe how the
.B lloadd
connects and authenticates to the backend servers.
......@@ -510,6 +510,56 @@ configured connections are set up and those not dedicated to handle bind
requests are authenticated with the backend using the information in the
.B bindconf
option. The authentication configuration is shared between them.
.TP
.B bindconf
.B [bindmethod=simple|sasl]
.B [binddn=<dn>]
.B [saslmech=<mech>]
.B [authcid=<identity>]
.B [authzid=<identity>]
.B [credentials=<passwd>]
.B [realm=<realm>]
.B [secprops=<properties>]
Specifies the bind credentials
.B lloadd
uses when setting up its regular connections to all backends.
A
.B bindmethod
of
.B simple
requires the options
.B binddn
and
.B credentials
and should only be used when adequate security services
(e.g. TLS or IPSEC) are in place.
.B REMEMBER: simple bind credentials must be in cleartext!
A
.B bindmethod
of
.B sasl
requires the option
.B saslmech.
Depending on the mechanism, an authentication identity and/or
credentials can be specified using
.B authcid
and
.B credentials.
The
.B authzid
parameter may be used to specify an authorization identity.
Specific security properties (as with the
.B sasl\-secprops
keyword above) for a SASL bind can be set with the
.B secprops
option. A non default SASL realm can be set with the
.B realm
option.
.SH BACKEND OPTIONS
.TP
.B backend
.B uri=ldap[s]://<hostname>[:port]
......@@ -552,7 +602,7 @@ made immediately, if one happens on establishing a new connection to this
backend, lloadd will wait before a new reconnect attempt is made
according to the
.B retry
parameter.
parameter (default is 5 seconds).
Operations will be distributed across the backend's connections
.RB ( upstreams ).
......@@ -576,50 +626,7 @@ network connection to the provider. Once a connection is
established, the
.B timeout
parameter determines how long the consumer will wait for the initial
Bind request to complete. The defaults for these parameters come
from
.BR ldap.conf (5).
.B [bindmethod=simple|sasl]
.B [binddn=<dn>]
.B [saslmech=<mech>]
.B [authcid=<identity>]
.B [authzid=<identity>]
.B [credentials=<passwd>]
.B [realm=<realm>]
.B [secprops=<properties>]
A
.B bindmethod
of
.B simple
requires the options
.B binddn
and
.B credentials
and should only be used when adequate security services
(e.g. TLS or IPSEC) are in place.
.B REMEMBER: simple bind credentials must be in cleartext!
A
.B bindmethod
of
.B sasl
requires the option
.B saslmech.
Depending on the mechanism, an authentication identity and/or
credentials can be specified using
.B authcid
and
.B credentials.
The
.B authzid
parameter may be used to specify an authorization identity.
Specific security properties (as with the
.B sasl\-secprops
keyword above) for a SASL bind can be set with the
.B secprops
option. A non default SASL realm can be set with the
.B realm
option.
Bind request to complete. By default no timeouts are in effect.
The
.B keepalive
......
......@@ -480,6 +480,8 @@ config_backend( ConfigArgs *c )
b->b_numconns = 1;
b->b_numbindconns = 1;
b->b_retry_timeout = 5000;
for ( i = 1; i < c->argc; i++ ) {
if ( backend_parse( c->argv[i], b ) ) {
Debug( LDAP_DEBUG_ANY, "config_backend: "
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment