From: Nick Porter Date: Tue, 11 Apr 2023 14:13:56 +0000 (+0100) Subject: Add config for trunk to use for bind auths X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9401f152068282c2e4e247c6ef0dd90feea1fbbb;p=thirdparty%2Ffreeradius-server.git Add config for trunk to use for bind auths --- diff --git a/raddb/mods-available/ldap b/raddb/mods-available/ldap index a04cd03e02e..cdf5ea2cedb 100644 --- a/raddb/mods-available/ldap +++ b/raddb/mods-available/ldap @@ -815,6 +815,27 @@ ldap { # free_delay = 10 } } + + # + # ### Bind Connection Pool + # + # This connection pool is used for LDAP binds used to authenticate requests when + # calling the ldap module in authenticate context. If passwords are retrieved + # from the ldap directory and FreeRADIUS performs the authentication then this is + # not used. + # + # The options are essentially identical to the pool section above with certain + # limitations. Since only one bind operation can be in progress on a connection at + # a time, `per_connection_max` and `per_connection_target` are always set to 1. + # + # This limitation means that `max` represents the maximum number of in progress + # binds which there can be on a single thread. + # + bind_pool { + start = 0 + min = 1 + max = 1000 + } } # diff --git a/src/lib/ldap/base.h b/src/lib/ldap/base.h index 77cf5d7c8c4..5d72d7b349e 100644 --- a/src/lib/ldap/base.h +++ b/src/lib/ldap/base.h @@ -379,6 +379,7 @@ typedef struct { fr_rb_tree_t *trunks; //!< Tree of LDAP trunks used by this thread fr_ldap_config_t *config; //!< Module instance config fr_trunk_conf_t *trunk_conf; //!< Module trunk config + fr_trunk_conf_t *bind_trunk_conf; //!< Trunk config for bind auth trunk fr_event_list_t *el; //!< Thread event list for callbacks / timeouts fr_connection_t *conn; //!< LDAP connection used for bind auths fr_rb_tree_t *binds; //!< Tree of outstanding bind auths diff --git a/src/modules/rlm_ldap/rlm_ldap.c b/src/modules/rlm_ldap/rlm_ldap.c index 2d128735656..3ca0da8d9b9 100644 --- a/src/modules/rlm_ldap/rlm_ldap.c +++ b/src/modules/rlm_ldap/rlm_ldap.c @@ -189,6 +189,9 @@ static const CONF_PARSER module_config[] = { { FR_CONF_OFFSET("pool", FR_TYPE_SUBSECTION, rlm_ldap_t, trunk_conf), .subcs = (void const *) fr_trunk_config }, + { FR_CONF_OFFSET("bind_pool", FR_TYPE_SUBSECTION, rlm_ldap_t, bind_trunk_conf), + .subcs = (void const *) fr_trunk_config }, + CONF_PARSER_TERMINATOR }; @@ -2035,6 +2038,7 @@ static int mod_thread_instatiate(module_thread_inst_ctx_t const *mctx) t->config = &inst->handle_config; t->trunk_conf = &inst->trunk_conf; + t->bind_trunk_conf = &inst->bind_trunk_conf; t->el = mctx->el; /* @@ -2131,6 +2135,12 @@ static int mod_bootstrap(module_inst_ctx_t const *mctx) inst->cache_da = inst->group_da; /* Default to the group_da */ } + /* + * Trunks used for bind auth can only have one request in flight per connection. + */ + inst->bind_trunk_conf.target_req_per_conn = 1; + inst->bind_trunk_conf.max_req_per_conn = 1; + xlat = xlat_func_register_module(NULL, mctx, mctx->inst->name, ldap_xlat, FR_TYPE_STRING); xlat_func_mono_set(xlat, ldap_xlat_arg); diff --git a/src/modules/rlm_ldap/rlm_ldap.h b/src/modules/rlm_ldap/rlm_ldap.h index 7f87074065c..d8d8311a2e0 100644 --- a/src/modules/rlm_ldap/rlm_ldap.h +++ b/src/modules/rlm_ldap/rlm_ldap.h @@ -122,6 +122,7 @@ typedef struct { fr_ldap_config_t handle_config; //!< Connection configuration instance. fr_trunk_conf_t trunk_conf; //!< Trunk configuration + fr_trunk_conf_t bind_trunk_conf; //!< Trunk configuration for trunk used for bind auths } rlm_ldap_t; /** Module environment used in LDAP authorization