diff --git a/servers/lloadd/backend.c b/servers/lloadd/backend.c index 8628d46264..3bef93cfb3 100644 --- a/servers/lloadd/backend.c +++ b/servers/lloadd/backend.c @@ -39,7 +39,7 @@ upstream_name_cb( int result, struct evutil_addrinfo *res, void *arg ) if ( result || !res ) { Debug( LDAP_DEBUG_ANY, "upstream_name_cb: " "name resolution failed for backend '%s': %s\n", - b->b_bindconf.sb_uri.bv_val, evutil_gai_strerror( result ) ); + b->b_uri.bv_val, evutil_gai_strerror( result ) ); goto fail; } @@ -65,7 +65,7 @@ upstream_name_cb( int result, struct evutil_addrinfo *res, void *arg ) if ( rc && errno != EINPROGRESS && errno != EWOULDBLOCK ) { Debug( LDAP_DEBUG_ANY, "upstream_name_cb: " "failed to connect to server '%s'\n", - b->b_bindconf.sb_uri.bv_val ); + b->b_uri.bv_val ); goto fail; } @@ -115,7 +115,7 @@ backend_select( Operation *op ) if ( b->b_max_pending && b->b_n_ops_executing >= b->b_max_pending ) { Debug( LDAP_DEBUG_CONNS, "backend_select: " "backend %s too busy\n", - b->b_bindconf.sb_uri.bv_val ); + b->b_uri.bv_val ); ldap_pvt_thread_mutex_unlock( &b->b_mutex ); b = next; continue; @@ -316,7 +316,7 @@ backends_destroy( void ) Debug( LDAP_DEBUG_CONNS, "backends_destroy: " "destroying backend uri='%s', numconns=%d, numbindconns=%d\n", - b->b_bindconf.sb_uri.bv_val, b->b_numconns, b->b_numbindconns ); + b->b_uri.bv_val, b->b_numconns, b->b_numbindconns ); while ( !LDAP_CIRCLEQ_EMPTY( &b->b_bindconns ) ) { Connection *c = LDAP_CIRCLEQ_FIRST( &b->b_bindconns ); @@ -349,27 +349,7 @@ backends_destroy( void ) event_free( b->b_retry_event ); ch_free( b->b_host ); - ch_free( b->b_bindconf.sb_uri.bv_val ); - ch_free( b->b_bindconf.sb_binddn.bv_val ); - ch_free( b->b_bindconf.sb_cred.bv_val ); - ch_free( b->b_bindconf.sb_saslmech.bv_val ); - ch_free( b->b_bindconf.sb_secprops ); - ch_free( b->b_bindconf.sb_realm.bv_val ); - ch_free( b->b_bindconf.sb_authcId.bv_val ); - ch_free( b->b_bindconf.sb_authzId.bv_val ); - -#ifdef HAVE_TLS - ch_free( b->b_bindconf.sb_tls_cert ); - ch_free( b->b_bindconf.sb_tls_key ); - ch_free( b->b_bindconf.sb_tls_cacert ); - ch_free( b->b_bindconf.sb_tls_cacertdir ); - ch_free( b->b_bindconf.sb_tls_reqcert ); - ch_free( b->b_bindconf.sb_tls_cipher_suite ); - ch_free( b->b_bindconf.sb_tls_protocol_min ); -#ifdef HAVE_OPENSSL_CRL - ch_free( b->b_bindconf.sb_tls_crlcheck ); -#endif -#endif + ch_free( b->b_uri.bv_val ); ch_free( b ); } } diff --git a/servers/lloadd/config.c b/servers/lloadd/config.c index 5e9af80730..a11d758b2f 100644 --- a/servers/lloadd/config.c +++ b/servers/lloadd/config.c @@ -100,6 +100,7 @@ static ConfigFile *cfn; static ConfigDriver config_fname; static ConfigDriver config_generic; static ConfigDriver config_backend; +static ConfigDriver config_bindconf; #ifdef LDAP_TCP_BUFFER static ConfigDriver config_tcp_buffer; #endif /* LDAP_TCP_BUFFER */ @@ -116,10 +117,12 @@ slap_b_head backend = LDAP_CIRCLEQ_HEAD_INITIALIZER(backend); ldap_pvt_thread_mutex_t backend_mutex; Backend *current_backend = NULL; +struct slap_bindconf bindconf = {}; + enum { CFG_ACL = 1, CFG_BACKEND, - CFG_DATABASE, + CFG_BINDCONF, CFG_TLS_RAND, CFG_TLS_CIPHER, CFG_TLS_PROTOCOL_MIN, @@ -162,10 +165,14 @@ static ConfigTable config_back_cf_table[] = { ARG_INT|ARG_MAGIC|CFG_CONCUR, &config_generic, }, - { "backend", "type", 2, 0, 0, - ARG_MAGIC|CFG_DATABASE, + { "backend", "backend options", 2, 0, 0, + ARG_MAGIC|CFG_BACKEND, &config_backend, }, + { "bindconf", "backend credentials", 2, 0, 0, + ARG_MAGIC|CFG_BINDCONF, + &config_bindconf, + }, { "gentlehup", "on|off", 2, 2, 0, #ifdef SIGHUP ARG_ON_OFF, @@ -471,31 +478,14 @@ config_backend( ConfigArgs *c ) b->b_numbindconns = 1; for ( i = 1; i < c->argc; i++ ) { - if ( bindconf_parse( c->argv[i], b ) ) { + if ( backend_parse( c->argv[i], b ) ) { Debug( LDAP_DEBUG_ANY, "config_backend: " "error parsing backend configuration item '%s'\n", c->argv[i] ); - rc = -1; - goto done; + return -1; } } - bindconf_tls_defaults( &b->b_bindconf ); - - if ( b->b_bindconf.sb_method == LDAP_AUTH_SASL ) { -#ifndef HAVE_CYRUS_SASL - Debug( LDAP_DEBUG_ANY, "config_backend: " - "no sasl support available\n" ); - rc = -1; - goto done; -#else /* HAVE_CYRUS_SASL */ - Debug( LDAP_DEBUG_ANY, "config_backend: " - "no sasl support yet\n" ); - rc = -1; - goto done; -#endif - } - if ( b->b_numconns <= 0 ) { Debug( LDAP_DEBUG_ANY, "config_backend: " "invalid connection pool configuration\n" ); @@ -519,18 +509,18 @@ config_backend( ConfigArgs *c ) b->b_retry_tv.tv_sec = b->b_retry_timeout / 1000; b->b_retry_tv.tv_usec = ( b->b_retry_timeout % 1000 ) * 1000; - if ( BER_BVISNULL( &b->b_bindconf.sb_uri ) ) { + if ( BER_BVISNULL( &b->b_uri ) ) { Debug( LDAP_DEBUG_ANY, "config_backend: " "backend address not specified\n" ); rc = -1; goto done; } - rc = ldap_url_parse( b->b_bindconf.sb_uri.bv_val, &lud ); + rc = ldap_url_parse( b->b_uri.bv_val, &lud ); if ( rc != LDAP_URL_SUCCESS ) { Debug( LDAP_DEBUG_ANY, "config_backend: " "listen URL \"%s\" parse error=%d\n", - b->b_bindconf.sb_uri.bv_val, rc ); + b->b_uri.bv_val, rc ); rc = -1; goto done; } @@ -539,7 +529,7 @@ config_backend( ConfigArgs *c ) if ( ldap_pvt_url_scheme2tls( lud->lud_scheme ) ) { Debug( LDAP_DEBUG_ANY, "config_backend: " "TLS not supported (%s)\n", - b->b_bindconf.sb_uri.bv_val ); + b->b_uri.bv_val ); rc = -1; goto done; } @@ -581,7 +571,7 @@ config_backend( ConfigArgs *c ) if ( lud->lud_host == NULL || lud->lud_host[0] == '\0' ) { Debug( LDAP_DEBUG_ANY, "config_backend: " "backend url missing hostname: '%s'\n", - b->b_bindconf.sb_uri.bv_val ); + b->b_uri.bv_val ); rc = -1; goto done; } @@ -603,6 +593,37 @@ done: return rc; } +static int +config_bindconf( ConfigArgs *c ) +{ + int i; + + for ( i = 1; i < c->argc; i++ ) { + if ( bindconf_parse( c->argv[i], &bindconf ) ) { + Debug( LDAP_DEBUG_ANY, "config_bindconf: " + "error parsing backend configuration item '%s'\n", + c->argv[i] ); + return -1; + } + } + + bindconf_tls_defaults( &bindconf ); + + if ( bindconf.sb_method == LDAP_AUTH_SASL ) { +#ifndef HAVE_CYRUS_SASL + Debug( LDAP_DEBUG_ANY, "config_bindconf: " + "no sasl support available\n" ); + return -1; +#else /* HAVE_CYRUS_SASL */ + Debug( LDAP_DEBUG_ANY, "config_bindconf: " + "no sasl support yet\n" ); + return -1; +#endif + } + + return 0; +} + static int config_fname( ConfigArgs *c ) { @@ -1882,41 +1903,8 @@ slap_keepalive_parse( return 0; } -static int -slap_sb_uri( - struct berval *val, - void *bcp, - slap_cf_aux_table *tab0, - const char *tabmsg, - int unparse ) -{ - slap_bindconf *bc = bcp; - if ( unparse ) { - if ( bc->sb_uri.bv_len >= val->bv_len ) return -1; - val->bv_len = bc->sb_uri.bv_len; - AC_MEMCPY( val->bv_val, bc->sb_uri.bv_val, val->bv_len ); - } else { - bc->sb_uri = *val; -#ifdef HAVE_TLS - if ( ldap_is_ldaps_url( val->bv_val ) ) bc->sb_tls_do_init = 1; -#endif - } - return 0; -} - -static slap_cf_aux_table bindkey[] = { - { BER_BVC("uri="), offsetof(Backend, b_bindconf.sb_uri), 'x', 1, slap_sb_uri }, - { BER_BVC("bindmethod="), offsetof(Backend, b_bindconf.sb_method), 'i', 0, methkey }, - { BER_BVC("timeout="), offsetof(Backend, b_bindconf.sb_timeout_api), 'i', 0, NULL }, - { BER_BVC("network-timeout="), offsetof(Backend, b_bindconf.sb_timeout_net), 'i', 0, NULL }, - { BER_BVC("binddn="), offsetof(Backend, b_bindconf.sb_binddn), 'b', 1, NULL }, - { BER_BVC("credentials="), offsetof(Backend, b_bindconf.sb_cred), 'b', 1, NULL }, - { BER_BVC("saslmech="), offsetof(Backend, b_bindconf.sb_saslmech), 'b', 0, NULL }, - { BER_BVC("secprops="), offsetof(Backend, b_bindconf.sb_secprops), 's', 0, NULL }, - { BER_BVC("realm="), offsetof(Backend, b_bindconf.sb_realm), 'b', 0, NULL }, - { BER_BVC("authcID="), offsetof(Backend, b_bindconf.sb_authcId), 'b', 1, NULL }, - { BER_BVC("authzID="), offsetof(Backend, b_bindconf.sb_authzId), 'b', 1, NULL }, - { BER_BVC("keepalive="), offsetof(Backend, b_bindconf.sb_keepalive), 'x', 0, (slap_verbmasks *)slap_keepalive_parse }, +static slap_cf_aux_table backendkey[] = { + { BER_BVC("uri="), offsetof(Backend, b_uri), 'b', 1, NULL }, { BER_BVC("numconns="), offsetof(Backend, b_numconns), 'i', 0, NULL }, { BER_BVC("bindconns="), offsetof(Backend, b_numbindconns), 'i', 0, NULL }, @@ -1924,19 +1912,34 @@ static slap_cf_aux_table bindkey[] = { { BER_BVC("max-pending-ops="), offsetof(Backend, b_max_pending), 'i', 0, NULL }, { BER_BVC("conn-max-pending="), offsetof(Backend, b_max_conn_pending), 'i', 0, NULL }, + { BER_BVNULL, 0, 0, 0, NULL } +}; + +static slap_cf_aux_table bindkey[] = { + { BER_BVC("bindmethod="), offsetof(slap_bindconf, sb_method), 'i', 0, methkey }, + { BER_BVC("timeout="), offsetof(slap_bindconf, sb_timeout_api), 'i', 0, NULL }, + { BER_BVC("network-timeout="), offsetof(slap_bindconf, sb_timeout_net), 'i', 0, NULL }, + { BER_BVC("binddn="), offsetof(slap_bindconf, sb_binddn), 'b', 1, NULL }, + { BER_BVC("credentials="), offsetof(slap_bindconf, sb_cred), 'b', 1, NULL }, + { BER_BVC("saslmech="), offsetof(slap_bindconf, sb_saslmech), 'b', 0, NULL }, + { BER_BVC("secprops="), offsetof(slap_bindconf, sb_secprops), 's', 0, NULL }, + { BER_BVC("realm="), offsetof(slap_bindconf, sb_realm), 'b', 0, NULL }, + { BER_BVC("authcID="), offsetof(slap_bindconf, sb_authcId), 'b', 1, NULL }, + { BER_BVC("authzID="), offsetof(slap_bindconf, sb_authzId), 'b', 1, NULL }, + { BER_BVC("keepalive="), offsetof(slap_bindconf, sb_keepalive), 'x', 0, (slap_verbmasks *)slap_keepalive_parse }, #ifdef HAVE_TLS - { BER_BVC("starttls="), offsetof(Backend, b_bindconf.sb_tls), 'i', 0, tlskey }, - { BER_BVC("tls_cert="), offsetof(Backend, b_bindconf.sb_tls_cert), 's', 1, NULL }, - { BER_BVC("tls_key="), offsetof(Backend, b_bindconf.sb_tls_key), 's', 1, NULL }, - { BER_BVC("tls_cacert="), offsetof(Backend, b_bindconf.sb_tls_cacert), 's', 1, NULL }, - { BER_BVC("tls_cacertdir="), offsetof(Backend, b_bindconf.sb_tls_cacertdir), 's', 1, NULL }, - { BER_BVC("tls_reqcert="), offsetof(Backend, b_bindconf.sb_tls_reqcert), 's', 0, NULL }, - { BER_BVC("tls_reqsan="), offsetof(Backend, b_bindconf.sb_tls_reqsan), 's', 0, NULL }, - { BER_BVC("tls_cipher_suite="), offsetof(Backend, b_bindconf.sb_tls_cipher_suite), 's', 0, NULL }, - { BER_BVC("tls_protocol_min="), offsetof(Backend, b_bindconf.sb_tls_protocol_min), 's', 0, NULL }, - { BER_BVC("tls_ecname="), offsetof(Backend, b_bindconf.sb_tls_ecname), 's', 0, NULL }, + { BER_BVC("starttls="), offsetof(slap_bindconf, sb_tls), 'i', 0, tlskey }, + { BER_BVC("tls_cert="), offsetof(slap_bindconf, sb_tls_cert), 's', 1, NULL }, + { BER_BVC("tls_key="), offsetof(slap_bindconf, sb_tls_key), 's', 1, NULL }, + { BER_BVC("tls_cacert="), offsetof(slap_bindconf, sb_tls_cacert), 's', 1, NULL }, + { BER_BVC("tls_cacertdir="), offsetof(slap_bindconf, sb_tls_cacertdir), 's', 1, NULL }, + { BER_BVC("tls_reqcert="), offsetof(slap_bindconf, sb_tls_reqcert), 's', 0, NULL }, + { BER_BVC("tls_reqsan="), offsetof(slap_bindconf, sb_tls_reqsan), 's', 0, NULL }, + { BER_BVC("tls_cipher_suite="), offsetof(slap_bindconf, sb_tls_cipher_suite), 's', 0, NULL }, + { BER_BVC("tls_protocol_min="), offsetof(slap_bindconf, sb_tls_protocol_min), 's', 0, NULL }, + { BER_BVC("tls_ecname="), offsetof(slap_bindconf, sb_tls_ecname), 's', 0, NULL }, #ifdef HAVE_OPENSSL - { BER_BVC("tls_crlcheck="), offsetof(Backend, b_bindconf.sb_tls_crlcheck), 's', 0, NULL }, + { BER_BVC("tls_crlcheck="), offsetof(slap_bindconf, sb_tls_crlcheck), 's', 0, NULL }, #endif #endif { BER_BVNULL, 0, 0, 0, NULL } @@ -2212,15 +2215,21 @@ slap_tls_get_config( LDAP *ld, int opt, char **val ) } int -bindconf_parse( const char *word, Backend *b ) +backend_parse( const char *word, Backend *b ) { - return slap_cf_aux_table_parse( word, b, bindkey, "bind config" ); + return slap_cf_aux_table_parse( word, b, backendkey, "backend config" ); } int -bindconf_unparse( Backend *b, struct berval *bv ) +bindconf_parse( const char *word, slap_bindconf *bc ) { - return slap_cf_aux_table_unparse( b, bv, bindkey ); + return slap_cf_aux_table_parse( word, bc, bindkey, "bind config" ); +} + +int +bindconf_unparse( slap_bindconf *bc, struct berval *bv ) +{ + return slap_cf_aux_table_unparse( bc, bv, bindkey ); } void diff --git a/servers/lloadd/daemon.c b/servers/lloadd/daemon.c index c6dc81e719..b0e0d53680 100644 --- a/servers/lloadd/daemon.c +++ b/servers/lloadd/daemon.c @@ -1359,6 +1359,7 @@ slapd_daemon( struct event_base *daemon_base ) ldap_pvt_thread_pool_close( &connection_pool, 1 ); backends_destroy(); clients_destroy(); + bindconf_free( &bindconf ); evdns_base_free( dnsbase, 0 ); ch_free( daemon_tid ); diff --git a/servers/lloadd/slap.h b/servers/lloadd/slap.h index a3193eb3aa..6d7153a48f 100644 --- a/servers/lloadd/slap.h +++ b/servers/lloadd/slap.h @@ -128,6 +128,7 @@ LDAP_SLAPD_V (slap_b_head) backend; LDAP_SLAPD_V (slap_c_head) clients; LDAP_SLAPD_V (ldap_pvt_thread_mutex_t) backend_mutex; LDAP_SLAPD_V (Backend *) current_backend; +LDAP_SLAPD_V (struct slap_bindconf) bindconf; LDAP_SLAPD_V (int) slapMode; #define SLAP_UNDEFINED_MODE 0x0000 @@ -246,9 +247,9 @@ enum lload_tls_type { /* Can hold mutex when locking a linked connection */ struct Backend { - struct slap_bindconf b_bindconf; ldap_pvt_thread_mutex_t b_mutex; + struct berval b_uri; int b_proto, b_port; enum lload_tls_type b_tls; char *b_host; diff --git a/servers/lloadd/upstream.c b/servers/lloadd/upstream.c index 19fd327e88..9a42d15485 100644 --- a/servers/lloadd/upstream.c +++ b/servers/lloadd/upstream.c @@ -167,7 +167,7 @@ handle_vc_bind_response( Operation *op, BerElement *ber ) CONNECTION_LOCK(upstream); b = (Backend *)upstream->c_private; Debug( LDAP_DEBUG_ANY, "VC extended operation not supported on backend %s\n", - b->b_bindconf.sb_uri.bv_val ); + b->b_uri.bv_val ); CONNECTION_UNLOCK(upstream); } @@ -779,20 +779,20 @@ upstream_bind( void *ctx, void *arg ) CONNECTION_UNLOCK_INCREF(c); ldap_pvt_thread_mutex_lock( &b->b_mutex ); - if ( b->b_bindconf.sb_method == LDAP_AUTH_SIMPLE ) { + if ( bindconf.sb_method == LDAP_AUTH_SIMPLE ) { /* simple bind */ ber_printf( ber, "{it{iOtON}}", msgid, LDAP_REQ_BIND, LDAP_VERSION3, - &b->b_bindconf.sb_binddn, LDAP_AUTH_SIMPLE, - &b->b_bindconf.sb_cred ); + &bindconf.sb_binddn, LDAP_AUTH_SIMPLE, + &bindconf.sb_cred ); #ifdef HAVE_CYRUS_SASL } else { BerValue cred = BER_BVNULL; ber_printf( ber, "{it{iOt{OON}N}}", msgid, LDAP_REQ_BIND, LDAP_VERSION3, - &b->b_bindconf.sb_binddn, LDAP_AUTH_SASL, - &b->b_bindconf.sb_saslmech, BER_BV_OPTIONAL( &cred ) ); + &bindconf.sb_binddn, LDAP_AUTH_SASL, + &bindconf.sb_saslmech, BER_BV_OPTIONAL( &cred ) ); #endif /* HAVE_CYRUS_SASL */ } ldap_pvt_thread_mutex_unlock( &b->b_mutex ); @@ -857,7 +857,7 @@ upstream_init( ber_socket_t s, Backend *b ) } } - if ( is_bindconn || b->b_bindconf.sb_method == LDAP_AUTH_NONE ) { + if ( is_bindconn || bindconf.sb_method == LDAP_AUTH_NONE ) { if ( upstream_finish( c ) ) { goto fail; }