From: Ondřej Kuzník Date: Thu, 14 May 2026 14:36:42 +0000 (+0100) Subject: ITS#10502 lloadd: Add enable/disable keywords and enable proxyauthz by default X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=f6ae8ef451f38e3f2f3ec6fc43cc8806ecfe125a;p=thirdparty%2Fopenldap.git ITS#10502 lloadd: Add enable/disable keywords and enable proxyauthz by default --- diff --git a/doc/man/man5/lloadd.conf.5 b/doc/man/man5/lloadd.conf.5 index 7fa8aa940f..92ea6e90bc 100644 --- a/doc/man/man5/lloadd.conf.5 +++ b/doc/man/man5/lloadd.conf.5 @@ -135,7 +135,7 @@ thread system as a hint. The default is not to provide any hint. .\" .B iotimeout .\" option. .TP -.B feature [...] +.B enable Switch additional features supported by the LDAP Load Balancer on. Supported features are: .RS @@ -148,7 +148,7 @@ the proxy authorization control (RFC 4370). No control is added to the operation if initiated by a client whose bound identity matches the identity configured in .B bindconf -(no normalisation of the DN is attempted). +(no normalisation of the DN is attempted). This feature is enabled by default. If SASL binds are issued by clients and this feature is enabled, backend servers need to support LDAP Who Am I? extended operation for the Load Balancer @@ -166,6 +166,12 @@ to detect the correct authorization identity. .RE .RE .TP +.B disable +Switch features supported by the LDAP Load Balancer off. See features listed in +the +.B enable +option for a list. +.TP .B include Read additional configuration information from the given file before continuing with the next line of the current file. diff --git a/servers/lloadd/config.c b/servers/lloadd/config.c index d9ec396b4e..3d6da4defe 100644 --- a/servers/lloadd/config.c +++ b/servers/lloadd/config.c @@ -77,9 +77,11 @@ char *slapd_args_file = NULL; static struct timeval timeout_api_tv, timeout_net_tv, timeout_write_tv = { 10, 0 }; -lload_features_t lload_features; +lload_features_t lload_features = LLOAD_FEATURES_DEFAULT; int lload_write_coherence = 0; +static lload_features_t features_requested, features_disabled; + ber_len_t sockbuf_max_incoming_client = LLOAD_SB_MAX_INCOMING_CLIENT; ber_len_t sockbuf_max_incoming_upstream = LLOAD_SB_MAX_INCOMING_UPSTREAM; ber_len_t sockbuf_max_pending_client = 0; @@ -158,6 +160,8 @@ enum { CFG_MAXBUF_UPSTREAM, CFG_MAXBUF_PENDING, CFG_FEATURE, + CFG_FEATURE_ENABLE, + CFG_FEATURE_DISABLE, CFG_THREADQS, CFG_TLS_ECNAME, CFG_TLS_CACERT, @@ -394,13 +398,28 @@ static ConfigTable config_back_cf_table[] = { { "feature", "name", 2, 0, 0, ARG_MAGIC|CFG_FEATURE, &config_feature, + NULL, NULL, NULL + }, + { "enable", "name", 2, 2, 0, + ARG_MAGIC|CFG_FEATURE_ENABLE, + &config_feature, "( OLcfgBkAt:13.10 " - "NAME 'olcBkLloadFeature' " + "NAME ( 'olcBkLloadFeatureEnable' 'olcBkLloadFeature' ) " "DESC 'Lload features enabled' " "EQUALITY caseIgnoreMatch " "SYNTAX OMsDirectoryString )", NULL, NULL }, + { "disable", "name", 2, 2, 0, + ARG_MAGIC|CFG_FEATURE_DISABLE, + &config_feature, + "( OLcfgBkAt:13.42 " + "NAME 'olcBkLloadFeatureDisable' " + "DESC 'Lload features disabled' " + "EQUALITY caseIgnoreMatch " + "SYNTAX OMsDirectoryString )", + NULL, NULL + }, { "TLSCACertificate", NULL, 2, 2, 0, #ifdef HAVE_TLS CFG_TLS_CACERT|ARG_BINARY|ARG_MAGIC, @@ -818,7 +837,8 @@ static ConfigOCs lloadocs[] = { "$ olcBkLloadSockbufMaxUpstream " "$ olcBkLloadMaxPDUPerCycle " "$ olcBkLloadIOTimeout ) " - "MAY ( olcBkLloadFeature " + "MAY ( olcBkLloadFeatureEnable " + "$ olcBkLloadFeatureDisable " "$ olcBkLloadTcpBuffer " "$ olcBkLloadTLSCACertificateFile " "$ olcBkLloadTLSCACertificatePath " @@ -2092,11 +2112,24 @@ config_feature( ConfigArgs *c ) { BER_BVC("read_pause"), LLOAD_FEATURE_PAUSE }, { BER_BVNULL, 0 } }; + lload_features_t *fp; slap_mask_t mask = 0; int i; + switch ( c->type ) { + case CFG_FEATURE: + case CFG_FEATURE_ENABLE: + fp = &features_requested; + break; + case CFG_FEATURE_DISABLE: + fp = &features_disabled; + break; + default: + return 1; + } + if ( c->op == SLAP_CONFIG_EMIT ) { - return mask_to_verbs( features, lload_features, &c->rvalue_vals ); + return mask_to_verbs( features, *fp, &c->rvalue_vals ); } lload_change.type = LLOAD_CHANGE_MODIFY; @@ -2109,11 +2142,13 @@ config_feature( ConfigArgs *c ) if ( c->op == LDAP_MOD_DELETE ) { if ( !c->line ) { /* Last value has been deleted */ - lload_features = 0; + *fp = 0; } else { i = verb_to_mask( c->line, features ); - lload_features &= ~features[i].mask; + *fp &= ~features[i].mask; } + lload_features = (LLOAD_FEATURES_DEFAULT & ~features_disabled) | \ + features_requested; return 0; } @@ -2136,7 +2171,23 @@ config_feature( ConfigArgs *c ) } } - lload_features |= mask; + if ( features_requested & features_disabled ) { + lload_features_t overlap = features_requested & features_disabled; + for ( i = 1; i < c->argc; i++ ) { + int j = verb_to_mask( c->argv[i], features ); + if ( features[j].mask & overlap ) { + snprintf( c->cr_msg, sizeof(c->cr_msg), + "requested to both enable and disable feature %s", + c->argv[i] ); + Debug( LDAP_DEBUG_ANY, "%s: %s\n", c->log, c->cr_msg ); + } + } + return 1; + } + + *fp |= mask; + lload_features = (LLOAD_FEATURES_DEFAULT & ~features_disabled) | \ + features_requested; return 0; } diff --git a/servers/lloadd/lload.h b/servers/lloadd/lload.h index f99a0cb4fc..84e2d64b1e 100644 --- a/servers/lloadd/lload.h +++ b/servers/lloadd/lload.h @@ -184,6 +184,10 @@ typedef enum { LLOAD_FEATURE_PAUSE = 1 << 2, } lload_features_t; +#define LLOAD_FEATURES_DEFAULT ( \ + LLOAD_FEATURE_PROXYAUTHZ | \ + 0 ) + #define LLOAD_FEATURE_SUPPORTED_MASK ( \ LLOAD_FEATURE_PROXYAUTHZ | \ 0 ) diff --git a/tests/data/lloadd-anon.conf b/tests/data/lloadd-anon.conf index 4c516ef340..affcdc48fa 100644 --- a/tests/data/lloadd-anon.conf +++ b/tests/data/lloadd-anon.conf @@ -17,6 +17,9 @@ sockbuf_max_incoming_client 4194303 sockbuf_max_incoming_upstream 4194303 +# we're anonymous and want to disable proxyauthz in this particular test +disable proxyauthz + tier roundrobin # empty tier diff --git a/tests/data/lloadd-empty.conf b/tests/data/lloadd-empty.conf index 50963a4bbd..2f089a5f4a 100644 --- a/tests/data/lloadd-empty.conf +++ b/tests/data/lloadd-empty.conf @@ -17,7 +17,7 @@ sockbuf_max_incoming_client 4194303 sockbuf_max_incoming_upstream 4194303 -feature proxyauthz +enable proxyauthz bindconf bindmethod=simple diff --git a/tests/data/lloadd-sasl.conf b/tests/data/lloadd-sasl.conf index c3d23ecd70..c8fd9c4932 100644 --- a/tests/data/lloadd-sasl.conf +++ b/tests/data/lloadd-sasl.conf @@ -17,7 +17,7 @@ sockbuf_max_incoming_client 4194303 sockbuf_max_incoming_upstream 4194303 -feature proxyauthz +enable proxyauthz bindconf bindmethod=sasl diff --git a/tests/data/lloadd-tls.conf b/tests/data/lloadd-tls.conf index 2821edc3b6..fc5bfb7bd5 100644 --- a/tests/data/lloadd-tls.conf +++ b/tests/data/lloadd-tls.conf @@ -26,7 +26,7 @@ TLSShareSlapdCTX yes sockbuf_max_incoming_client 4194303 sockbuf_max_incoming_upstream 4194303 -feature proxyauthz +enable proxyauthz bindconf bindmethod=simple diff --git a/tests/data/lloadd.conf b/tests/data/lloadd.conf index 8af8f7d070..964dd52cd7 100644 --- a/tests/data/lloadd.conf +++ b/tests/data/lloadd.conf @@ -17,7 +17,7 @@ sockbuf_max_incoming_client 4194303 sockbuf_max_incoming_upstream 4194303 -feature proxyauthz +enable proxyauthz bindconf bindmethod=simple