ITS#10502 lloadd: Add enable/disable keywords and enable proxyauthz by default

2026-06-11 09:40:11 -04:00 · 2026-05-14 15:36:42 +01:00 · 2026-05-14 15:36:42 +01:00 · f6ae8ef451
commit f6ae8ef451
parent 18403607b9
8 changed files with 77 additions and 13 deletions
--- a/doc/man/man5/lloadd.conf.5
+++ b/doc/man/man5/lloadd.conf.5
@ -135,7 +135,7 @@ thread system as a hint.  The default is not to provide any hint.
 .\" .B iotimeout
 .\" option.
 .TP
-.B feature <feature> [...]
+.B enable <feature>
 Switch additional features supported by the LDAP Load Balancer on.
 Supported features are:
 .RS
@ -148,7 +148,7 @@ the proxy authorization control (RFC 4370). No control is added to the
 operation if initiated by a client whose bound identity matches the identity
 configured in
 .B bindconf
-(no normalisation of the DN is attempted).
+(no normalisation of the DN is attempted). This feature is enabled by default.

 If SASL binds are issued by clients and this feature is enabled, backend
 servers need to support LDAP Who Am I? extended operation for the Load Balancer
@ -166,6 +166,12 @@ to detect the correct authorization identity.
 .RE
 .RE
 .TP
+.B disable <feature>
+Switch features supported by the LDAP Load Balancer off. See features listed in
+the
+.B enable
+option for a list.
+.TP
 .B include <filename>
 Read additional configuration information from the given file before
 continuing with the next line of the current file.
--- a/servers/lloadd/config.c
+++ b/servers/lloadd/config.c
@ -77,9 +77,11 @@ char *slapd_args_file = NULL;
 static struct timeval timeout_api_tv, timeout_net_tv,
        timeout_write_tv = { 10, 0 };

-lload_features_t lload_features;
+lload_features_t lload_features = LLOAD_FEATURES_DEFAULT;
 int lload_write_coherence = 0;

+static lload_features_t features_requested, features_disabled;
+
 ber_len_t sockbuf_max_incoming_client = LLOAD_SB_MAX_INCOMING_CLIENT;
 ber_len_t sockbuf_max_incoming_upstream = LLOAD_SB_MAX_INCOMING_UPSTREAM;
 ber_len_t sockbuf_max_pending_client = 0;
@ -158,6 +160,8 @@ enum {
    CFG_MAXBUF_UPSTREAM,
    CFG_MAXBUF_PENDING,
    CFG_FEATURE,
+    CFG_FEATURE_ENABLE,
+    CFG_FEATURE_DISABLE,
    CFG_THREADQS,
    CFG_TLS_ECNAME,
    CFG_TLS_CACERT,
@ -394,13 +398,28 @@ static ConfigTable config_back_cf_table[] = {
    { "feature", "name", 2, 0, 0,
        ARG_MAGIC|CFG_FEATURE,
        &config_feature,
+        NULL, NULL, NULL
+    },
+    { "enable", "name", 2, 2, 0,
+        ARG_MAGIC|CFG_FEATURE_ENABLE,
+        &config_feature,
        "( OLcfgBkAt:13.10 "
-            "NAME 'olcBkLloadFeature' "
+            "NAME ( 'olcBkLloadFeatureEnable' 'olcBkLloadFeature' ) "
            "DESC 'Lload features enabled' "
            "EQUALITY caseIgnoreMatch "
            "SYNTAX OMsDirectoryString )",
        NULL, NULL
    },
+    { "disable", "name", 2, 2, 0,
+        ARG_MAGIC|CFG_FEATURE_DISABLE,
+        &config_feature,
+        "( OLcfgBkAt:13.42 "
+            "NAME 'olcBkLloadFeatureDisable' "
+            "DESC 'Lload features disabled' "
+            "EQUALITY caseIgnoreMatch "
+            "SYNTAX OMsDirectoryString )",
+        NULL, NULL
+    },
    { "TLSCACertificate", NULL, 2, 2, 0,
 #ifdef HAVE_TLS
        CFG_TLS_CACERT|ARG_BINARY|ARG_MAGIC,
@ -818,7 +837,8 @@ static ConfigOCs lloadocs[] = {
            "$ olcBkLloadSockbufMaxUpstream "
            "$ olcBkLloadMaxPDUPerCycle "
            "$ olcBkLloadIOTimeout ) "
-        "MAY ( olcBkLloadFeature "
+        "MAY ( olcBkLloadFeatureEnable "
+            "$ olcBkLloadFeatureDisable "
            "$ olcBkLloadTcpBuffer "
            "$ olcBkLloadTLSCACertificateFile "
            "$ olcBkLloadTLSCACertificatePath "
@ -2092,11 +2112,24 @@ config_feature( ConfigArgs *c )
        { BER_BVC("read_pause"), LLOAD_FEATURE_PAUSE },
        { BER_BVNULL, 0 }
    };
+    lload_features_t *fp;
    slap_mask_t mask = 0;
    int i;

+    switch ( c->type ) {
+        case CFG_FEATURE:
+        case CFG_FEATURE_ENABLE:
+            fp = &features_requested;
+            break;
+        case CFG_FEATURE_DISABLE:
+            fp = &features_disabled;
+            break;
+        default:
+            return 1;
+    }
+
    if ( c->op == SLAP_CONFIG_EMIT ) {
-        return mask_to_verbs( features, lload_features, &c->rvalue_vals );
+        return mask_to_verbs( features, *fp, &c->rvalue_vals );
    }

    lload_change.type = LLOAD_CHANGE_MODIFY;
@ -2109,11 +2142,13 @@ config_feature( ConfigArgs *c )
    if ( c->op == LDAP_MOD_DELETE ) {
        if ( !c->line ) {
            /* Last value has been deleted */
-            lload_features = 0;
+            *fp = 0;
        } else {
            i = verb_to_mask( c->line, features );
-            lload_features &= ~features[i].mask;
+            *fp &= ~features[i].mask;
        }
+        lload_features = (LLOAD_FEATURES_DEFAULT & ~features_disabled) | \
+                         features_requested;
        return 0;
    }

@ -2136,7 +2171,23 @@ config_feature( ConfigArgs *c )
        }
    }

-    lload_features |= mask;
+    if ( features_requested & features_disabled ) {
+        lload_features_t overlap = features_requested & features_disabled;
+        for ( i = 1; i < c->argc; i++ ) {
+            int j = verb_to_mask( c->argv[i], features );
+            if ( features[j].mask & overlap ) {
+                snprintf( c->cr_msg, sizeof(c->cr_msg),
+                        "requested to both enable and disable feature %s",
+                        c->argv[i] );
+                Debug( LDAP_DEBUG_ANY, "%s: %s\n", c->log, c->cr_msg );
+            }
+        }
+        return 1;
+    }
+
+    *fp |= mask;
+    lload_features = (LLOAD_FEATURES_DEFAULT & ~features_disabled) | \
+                     features_requested;
    return 0;
 }

--- a/servers/lloadd/lload.h
+++ b/servers/lloadd/lload.h
@ -184,6 +184,10 @@ typedef enum {
    LLOAD_FEATURE_PAUSE = 1 << 2,
 } lload_features_t;

+#define LLOAD_FEATURES_DEFAULT ( \
+    LLOAD_FEATURE_PROXYAUTHZ | \
+    0 )
+
 #define LLOAD_FEATURE_SUPPORTED_MASK ( \
    LLOAD_FEATURE_PROXYAUTHZ | \
    0 )
--- a/tests/data/lloadd-anon.conf
+++ b/tests/data/lloadd-anon.conf
@ -17,6 +17,9 @@
 sockbuf_max_incoming_client 4194303
 sockbuf_max_incoming_upstream 4194303

+# we're anonymous and want to disable proxyauthz in this particular test
+disable proxyauthz
+
 tier roundrobin
 # empty tier

--- a/tests/data/lloadd-empty.conf
+++ b/tests/data/lloadd-empty.conf
@ -17,7 +17,7 @@
 sockbuf_max_incoming_client 4194303
 sockbuf_max_incoming_upstream 4194303

-feature proxyauthz
+enable proxyauthz

 bindconf
    bindmethod=simple
--- a/tests/data/lloadd-sasl.conf
+++ b/tests/data/lloadd-sasl.conf
@ -17,7 +17,7 @@
 sockbuf_max_incoming_client 4194303
 sockbuf_max_incoming_upstream 4194303

-feature proxyauthz
+enable proxyauthz

 bindconf
    bindmethod=sasl
--- a/tests/data/lloadd-tls.conf
+++ b/tests/data/lloadd-tls.conf
@ -26,7 +26,7 @@ TLSShareSlapdCTX yes
 sockbuf_max_incoming_client 4194303
 sockbuf_max_incoming_upstream 4194303

-feature proxyauthz
+enable proxyauthz

 bindconf
    bindmethod=simple
--- a/tests/data/lloadd.conf
+++ b/tests/data/lloadd.conf
@ -17,7 +17,7 @@
 sockbuf_max_incoming_client 4194303
 sockbuf_max_incoming_upstream 4194303

-feature proxyauthz
+enable proxyauthz

 bindconf
    bindmethod=simple