option mentioned is unavailable through
.BR slapd.conf (5)
directly, instead, it would have to be configured via a dedicated attribute in
-cn=config. In particular,
+cn=config. In particular, unless the
+.B TLSShareSlapdCTX
+option is set,
.B lloadd
-keeps its own TLS context and serving TLS to clients is not available except
+keeps its own TLS context which cannot be configured except
through the dynamic configuration.
An additional option is available when running as a
If
.B lloadd
is built with support for Transport Layer Security, there are more options
-you can specify. None of these are available when compiled as a
+you can specify.
+
+.TP
+.B TLSShareSlapdCTX { on | off }
+If set to no (the default),
+.B lloadd
+will use its own TLS context (needs to be configured via
+.B cn=config
+unless
+.B lloadd
+is run as a standalone daemon). If enabled, the options for
+.B slapd
+apply instead, since the
+.BR slapd 's
+TLS context is used then.
+
+.LP
+
+The following options are available only when compiled as a standalone daemon.
+When compiled as a
.BR slapd (8)
-module except through cn=config.
+module, the cn=config equivalents need to be used if a separate TLS context for
+the module is needed, otherwise use the
+.B TLSShareSlapdCTX
+option.
+
.TP
.B TLSCipherSuite <cipher-suite-spec>
Permits configuring what ciphers will be accepted and the preference order.
}
ldap_pvt_thread_mutex_unlock( &c->c_io_mutex );
- rc = ldap_pvt_tls_accept( c->c_sb, lload_tls_ctx );
+ rc = ldap_pvt_tls_accept( c->c_sb, LLOAD_TLS_CTX );
if ( rc < 0 ) {
goto fail;
}
c->c_is_tls = LLOAD_LDAPS;
- rc = ldap_pvt_tls_accept( c->c_sb, lload_tls_ctx );
+ rc = ldap_pvt_tls_accept( c->c_sb, LLOAD_TLS_CTX );
if ( rc < 0 ) {
Debug( LDAP_DEBUG_CONNS, "client_init: "
"connid=%lu failed initial TLS accept rc=%d\n",
static ConfigDriver config_tls_config;
#endif
#ifdef BALANCER_MODULE
+static ConfigDriver config_share_tls_ctx;
static ConfigDriver backend_cf_gen;
#endif /* BALANCER_MODULE */
CFG_TLS_VERIFY,
CFG_TLS_CRLCHECK,
CFG_TLS_CRL_FILE,
+ CFG_TLS_SHARE_CTX,
CFG_CONCUR,
CFG_THREADS,
CFG_LOGFILE,
"SINGLE-VALUE )",
NULL, NULL
},
+ { "TLSShareSlapdCTX", NULL, 2, 2, 0,
+#if defined(HAVE_TLS) && defined(BALANCER_MODULE)
+ CFG_TLS_SHARE_CTX|ARG_ON_OFF|ARG_MAGIC,
+ &config_share_tls_ctx,
+#else
+ ARG_IGNORED,
+ NULL,
+#endif
+ "( OLcfgBkAt:13.33 "
+ "NAME 'olcBkLloadTLSShareSlapdCTX' "
+ "DESC 'Share slapd TLS context (all other lloadd TLS options cease to take effect)' "
+ "EQUALITY booleanMatch "
+ "SYNTAX OMsBoolean "
+ "SINGLE-VALUE )",
+ NULL, NULL
+ },
{ "iotimeout", "ms timeout", 2, 2, 0,
ARG_UINT|ARG_MAGIC|CFG_IOTIMEOUT,
&config_generic,
"$ olcBkLloadTLSECName "
"$ olcBkLloadTLSProtocolMin "
"$ olcBkLloadTLSCRLFile "
+ "$ olcBkLloadTLSShareSlapdCTX "
") )",
Cft_Backend, config_back_cf_table,
NULL,
}
#endif
+#ifdef BALANCER_MODULE
+static int
+config_share_tls_ctx( ConfigArgs *c )
+{
+ int rc = LDAP_SUCCESS;
+
+ if ( c->op == SLAP_CONFIG_EMIT ) {
+ c->value_int = lload_use_slap_tls_ctx;
+ return rc;
+ }
+
+ lload_change.type = LLOAD_CHANGE_MODIFY;
+ lload_change.object = LLOAD_DAEMON;
+ lload_change.flags.daemon |= LLOAD_DAEMON_MOD_TLS;
+
+ if ( c->op == LDAP_MOD_DELETE ) {
+ lload_use_slap_tls_ctx = 0;
+ return rc;
+ }
+
+ lload_use_slap_tls_ctx = c->value_int;
+ return rc;
+}
+#endif /* BALANCER_MODULE */
+
void
lload_init_config_argv( ConfigArgs *c )
{
void *lload_tls_ctx;
LDAP *lload_tls_ld, *lload_tls_backend_ld;
+#ifdef BALANCER_MODULE
+int lload_use_slap_tls_ctx = 0;
+#endif
int
handle_starttls( LloadConnection *c, LloadOperation *op )
} else if ( c->c_ops ) {
rc = LDAP_OPERATIONS_ERROR;
msg = "cannot start TLS when operations are outstanding";
- } else if ( !lload_tls_ctx ) {
+ } else if ( !LLOAD_TLS_CTX ) {
rc = LDAP_UNAVAILABLE;
msg = "Could not initialize TLS";
}
LLOAD_FEATURE_PROXYAUTHZ = 1 << 1,
} lload_features_t;
+#ifdef BALANCER_MODULE
+#define LLOAD_TLS_CTX ( lload_use_slap_tls_ctx ? slap_tls_ctx : lload_tls_ctx )
+#else
+#define LLOAD_TLS_CTX ( lload_tls_ctx )
+#endif
+
enum lload_tls_type {
LLOAD_CLEARTEXT = 0,
LLOAD_LDAPS,
LDAP_SLAPD_V (LDAP *) lload_tls_backend_ld;
LDAP_SLAPD_V (LDAP *) lload_tls_ld;
LDAP_SLAPD_V (void *) lload_tls_ctx;
+#ifdef BALANCER_MODULE
+LDAP_SLAPD_V (int) lload_use_slap_tls_ctx;
+#endif /* BALANCER_MODULE */
/*
* extended.c
projects / thirdparty / openldap.git / commitdiff
