Permit lloadd to share slapd TLS context

doc/man/man5/lloadd.conf.5

@@ -70,9 +70,11 @@ interpretation wins and the
 option mentioned is unavailable through
 .BR slapd.conf (5)
 directly, instead, it would have to be configured via a dedicated attribute in
-cn=config. In particular,
+cn=config. In particular, unless the
+.B TLSShareSlapdCTX
+option is set,
 .B lloadd
-keeps its own TLS context and serving TLS to clients is not available except
+keeps its own TLS context which cannot be configured except
 through the dynamic configuration.
 
 An additional option is available when running as a
@@ -337,9 +339,32 @@ The default is 10000.
 If
 .B lloadd
 is built with support for Transport Layer Security, there are more options
-you can specify. None of these are available when compiled as a
+you can specify.
+
+.TP
+.B TLSShareSlapdCTX { on | off }
+If set to no (the default),
+.B lloadd
+will use its own TLS context (needs to be configured via
+.B cn=config
+unless
+.B lloadd
+is run as a standalone daemon). If enabled, the options for
+.B slapd
+apply instead, since the
+.BR slapd 's
+TLS context is used then.
+
+.LP
+
+The following options are available only when compiled as a standalone daemon.
+When compiled as a
 .BR slapd (8)
-module except through cn=config.
+module, the cn=config equivalents need to be used if a separate TLS context for
+the module is needed, otherwise use the
+.B TLSShareSlapdCTX
+option.
+
 .TP
 .B TLSCipherSuite <cipher-suite-spec>
 Permits configuring what ciphers will be accepted and the preference order.

servers/lloadd/client.c

@@ -294,7 +294,7 @@ client_tls_handshake_cb( evutil_socket_t s, short what, void *arg )
     }
     ldap_pvt_thread_mutex_unlock( &c->c_io_mutex );
 
-    rc = ldap_pvt_tls_accept( c->c_sb, lload_tls_ctx );
+    rc = ldap_pvt_tls_accept( c->c_sb, LLOAD_TLS_CTX );
     if ( rc < 0 ) {
         goto fail;
     }
@@ -374,7 +374,7 @@ client_init(
 
         c->c_is_tls = LLOAD_LDAPS;
 
-        rc = ldap_pvt_tls_accept( c->c_sb, lload_tls_ctx );
+        rc = ldap_pvt_tls_accept( c->c_sb, LLOAD_TLS_CTX );
         if ( rc < 0 ) {
             Debug( LDAP_DEBUG_CONNS, "client_init: "
                     "connid=%lu failed initial TLS accept rc=%d\n",

servers/lloadd/config.c

@@ -126,6 +126,7 @@ static ConfigDriver config_tls_option;
 static ConfigDriver config_tls_config;
 #endif
 #ifdef BALANCER_MODULE
+static ConfigDriver config_share_tls_ctx;
 static ConfigDriver backend_cf_gen;
 #endif /* BALANCER_MODULE */
 
@@ -153,6 +154,7 @@ enum {
     CFG_TLS_VERIFY,
     CFG_TLS_CRLCHECK,
     CFG_TLS_CRL_FILE,
+    CFG_TLS_SHARE_CTX,
     CFG_CONCUR,
     CFG_THREADS,
     CFG_LOGFILE,
@@ -587,6 +589,22 @@ static ConfigTable config_back_cf_table[] = {
             "SINGLE-VALUE )",
         NULL, NULL
     },
+    { "TLSShareSlapdCTX", NULL, 2, 2, 0,
+#if defined(HAVE_TLS) && defined(BALANCER_MODULE)
+        CFG_TLS_SHARE_CTX|ARG_ON_OFF|ARG_MAGIC,
+        &config_share_tls_ctx,
+#else
+        ARG_IGNORED,
+        NULL,
+#endif
+        "( OLcfgBkAt:13.33 "
+            "NAME 'olcBkLloadTLSShareSlapdCTX' "
+            "DESC 'Share slapd TLS context (all other lloadd TLS options cease to take effect)' "
+            "EQUALITY booleanMatch "
+            "SYNTAX OMsBoolean "
+            "SINGLE-VALUE )",
+        NULL, NULL
+    },
     { "iotimeout", "ms timeout", 2, 2, 0,
         ARG_UINT|ARG_MAGIC|CFG_IOTIMEOUT,
         &config_generic,
@@ -716,6 +734,7 @@ static ConfigOCs lloadocs[] = {
             "$ olcBkLloadTLSECName "
             "$ olcBkLloadTLSProtocolMin "
             "$ olcBkLloadTLSCRLFile "
+            "$ olcBkLloadTLSShareSlapdCTX "
         ") )",
         Cft_Backend, config_back_cf_table,
         NULL,
@@ -2008,6 +2027,31 @@ config_tls_config( ConfigArgs *c )
 }
 #endif
 
+#ifdef BALANCER_MODULE
+static int
+config_share_tls_ctx( ConfigArgs *c )
+{
+    int rc = LDAP_SUCCESS;
+
+    if ( c->op == SLAP_CONFIG_EMIT ) {
+        c->value_int = lload_use_slap_tls_ctx;
+        return rc;
+    }
+
+    lload_change.type = LLOAD_CHANGE_MODIFY;
+    lload_change.object = LLOAD_DAEMON;
+    lload_change.flags.daemon |= LLOAD_DAEMON_MOD_TLS;
+
+    if ( c->op == LDAP_MOD_DELETE ) {
+        lload_use_slap_tls_ctx = 0;
+        return rc;
+    }
+
+    lload_use_slap_tls_ctx = c->value_int;
+    return rc;
+}
+#endif /* BALANCER_MODULE */
+
 void
 lload_init_config_argv( ConfigArgs *c )
 {

servers/lloadd/extended.c

@@ -24,6 +24,9 @@ Avlnode *lload_exop_handlers = NULL;
 
 void *lload_tls_ctx;
 LDAP *lload_tls_ld, *lload_tls_backend_ld;
+#ifdef BALANCER_MODULE
+int lload_use_slap_tls_ctx = 0;
+#endif
 
 int
 handle_starttls( LloadConnection *c, LloadOperation *op )
@@ -44,7 +47,7 @@ handle_starttls( LloadConnection *c, LloadOperation *op )
     } else if ( c->c_ops ) {
         rc = LDAP_OPERATIONS_ERROR;
         msg = "cannot start TLS when operations are outstanding";
-    } else if ( !lload_tls_ctx ) {
+    } else if ( !LLOAD_TLS_CTX ) {
         rc = LDAP_UNAVAILABLE;
         msg = "Could not initialize TLS";
     }

servers/lloadd/lload.h

@@ -154,6 +154,12 @@ typedef enum {
     LLOAD_FEATURE_PROXYAUTHZ = 1 << 1,
 } lload_features_t;
 
+#ifdef BALANCER_MODULE
+#define LLOAD_TLS_CTX ( lload_use_slap_tls_ctx ? slap_tls_ctx : lload_tls_ctx )
+#else
+#define LLOAD_TLS_CTX ( lload_tls_ctx )
+#endif
+
 enum lload_tls_type {
     LLOAD_CLEARTEXT = 0,
     LLOAD_LDAPS,

servers/lloadd/proto-lload.h

@@ -128,6 +128,9 @@ LDAP_SLAPD_V (struct event *) lload_timeout_event;
 LDAP_SLAPD_V (LDAP *) lload_tls_backend_ld;
 LDAP_SLAPD_V (LDAP *) lload_tls_ld;
 LDAP_SLAPD_V (void *) lload_tls_ctx;
+#ifdef BALANCER_MODULE
+LDAP_SLAPD_V (int) lload_use_slap_tls_ctx;
+#endif /* BALANCER_MODULE */
 
 /*
  * extended.c