diff --git a/servers/lloadd/bind.c b/servers/lloadd/bind.c index 25d383868c..12db80415e 100644 --- a/servers/lloadd/bind.c +++ b/servers/lloadd/bind.c @@ -56,6 +56,7 @@ bind_mech_external( goto done; } +#ifdef HAVE_TLS ssl = ldap_pvt_tls_sb_ctx( client->c_sb ); if ( !ssl || ldap_pvt_tls_get_peer_dn( ssl, &binddn, NULL, 0 ) ) { result = LDAP_INVALID_CREDENTIALS; @@ -74,6 +75,10 @@ bind_mech_external( if ( !ber_bvstrcasecmp( &client->c_auth, &lloadd_identity ) ) { client->c_type = LLOAD_C_PRIVILEGED; } +#else /* ! HAVE_TLS */ + result = LDAP_AUTH_METHOD_NOT_SUPPORTED; + message = "requested SASL mechanism not supported"; +#endif /* ! HAVE_TLS */ done: CONNECTION_UNLOCK(client); diff --git a/servers/lloadd/client.c b/servers/lloadd/client.c index 3d080a77a1..e4e1682bb1 100644 --- a/servers/lloadd/client.c +++ b/servers/lloadd/client.c @@ -288,6 +288,7 @@ handle_one_request( LloadConnection *c ) return handler( c, op ); } +#ifdef HAVE_TLS /* * The connection has a token assigned to it when the callback is set up. */ @@ -385,6 +386,7 @@ fail: CONNECTION_LOCK_DESTROY(c); epoch_leave( epoch ); } +#endif /* HAVE_TLS */ LloadConnection * client_init( @@ -413,6 +415,7 @@ client_init( c->c_state = LLOAD_C_READY; if ( flags & CONN_IS_TLS ) { +#ifdef HAVE_TLS int rc; c->c_is_tls = LLOAD_LDAPS; @@ -430,6 +433,9 @@ client_init( c->c_read_timeout = lload_timeout_net; read_cb = write_cb = client_tls_handshake_cb; } +#else /* ! HAVE_TLS */ + assert(0); +#endif /* ! HAVE_TLS */ } event = event_new( base, s, EV_READ|EV_PERSIST, read_cb, c ); diff --git a/servers/lloadd/config.c b/servers/lloadd/config.c index dad2670b5e..91e54e8519 100644 --- a/servers/lloadd/config.c +++ b/servers/lloadd/config.c @@ -3671,6 +3671,19 @@ backend_cf_gen( ConfigArgs *c ) "invalid starttls configuration" ); goto fail; } +#ifndef HAVE_TLS + if ( tlskey[i].mask == LLOAD_STARTTLS_OPTIONAL ) { + Debug( LDAP_DEBUG_ANY, "%s: " + "lloadd compiled without TLS but starttls specified, " + "it will be ignored\n", + c->log ); + } else if ( tlskey[i].mask != LLOAD_CLEARTEXT ) { + snprintf( c->cr_msg, sizeof(c->cr_msg), + "invalid starttls configuration when compiled without " + "TLS support" ); + goto fail; + } +#endif /* ! HAVE_TLS */ b->b_tls_conf = tlskey[i].mask; } break; default: diff --git a/servers/lloadd/daemon.c b/servers/lloadd/daemon.c index 3ddee5dee4..b88571a13a 100644 --- a/servers/lloadd/daemon.c +++ b/servers/lloadd/daemon.c @@ -1410,6 +1410,7 @@ backend_conn_cb( ldap_pvt_thread_start_t *start, void *startarg, void *arg ) return 0; } +#ifdef HAVE_TLS int client_tls_cb( ldap_pvt_thread_start_t *start, void *startarg, void *arg ) { @@ -1422,6 +1423,7 @@ client_tls_cb( ldap_pvt_thread_start_t *start, void *startarg, void *arg ) } return 0; } +#endif /* HAVE_TLS */ void lload_handle_backend_invalidation( LloadChange *change ) @@ -1648,6 +1650,7 @@ lload_handle_global_invalidation( LloadChange *change ) assert( !feature_diff ); } +#ifdef HAVE_TLS if ( change->flags.daemon & LLOAD_DAEMON_MOD_TLS ) { /* terminate all clients with TLS set up */ ldap_pvt_thread_pool_walk( @@ -1670,6 +1673,7 @@ lload_handle_global_invalidation( LloadChange *change ) } } } +#endif /* HAVE_TLS */ if ( change->flags.daemon & LLOAD_DAEMON_MOD_BINDCONF ) { LloadBackend *b; diff --git a/servers/lloadd/extended.c b/servers/lloadd/extended.c index 89f8afaad9..5fbdf5e11c 100644 --- a/servers/lloadd/extended.c +++ b/servers/lloadd/extended.c @@ -22,11 +22,13 @@ Avlnode *lload_exop_handlers = NULL; +#ifdef HAVE_TLS void *lload_tls_ctx; LDAP *lload_tls_ld, *lload_tls_backend_ld; #ifdef BALANCER_MODULE int lload_use_slap_tls_ctx = 0; #endif +#endif /* HAVE_TLS */ int handle_starttls( LloadConnection *c, LloadOperation *op ) @@ -42,6 +44,7 @@ handle_starttls( LloadConnection *c, LloadOperation *op ) assert( op == found ); c->c_n_ops_executing--; +#ifdef HAVE_TLS if ( c->c_is_tls == LLOAD_TLS_ESTABLISHED ) { rc = LDAP_OPERATIONS_ERROR; msg = "TLS layer already in effect"; @@ -55,6 +58,11 @@ handle_starttls( LloadConnection *c, LloadOperation *op ) rc = LDAP_UNAVAILABLE; msg = "Could not initialize TLS"; } +#else /* ! HAVE_TLS */ + rc = LDAP_UNAVAILABLE; + msg = "Could not initialize TLS"; +#endif /* ! HAVE_TLS */ + CONNECTION_UNLOCK(c); Debug( LDAP_DEBUG_STATS, "handle_starttls: " @@ -67,6 +75,7 @@ handle_starttls( LloadConnection *c, LloadOperation *op ) return LDAP_SUCCESS; } +#ifdef HAVE_TLS event_del( c->c_read_event ); event_del( c->c_write_event ); /* @@ -109,6 +118,7 @@ handle_starttls( LloadConnection *c, LloadOperation *op ) operation_unlink( op ); return -1; +#endif /* HAVE_TLS */ } int diff --git a/servers/lloadd/upstream.c b/servers/lloadd/upstream.c index 7a450aab80..1f0ee18eeb 100644 --- a/servers/lloadd/upstream.c +++ b/servers/lloadd/upstream.c @@ -281,7 +281,9 @@ sasl_bind_step( LloadConnection *c, BerValue *scred, BerValue *ccred ) if ( !ctx ) { const char *mech = NULL; +#ifdef HAVE_TLS void *ssl; +#endif /* HAVE_TLS */ if ( sasl_client_new( "ldap", b->b_host, NULL, NULL, client_callbacks, 0, &ctx ) != SASL_OK ) { @@ -688,6 +690,7 @@ upstream_finish( LloadConnection *c ) return LDAP_SUCCESS; } +#ifdef HAVE_TLS static void upstream_tls_handshake_cb( evutil_socket_t s, short what, void *arg ) { @@ -872,6 +875,7 @@ fail: CONNECTION_DESTROY(c); return -1; } +#endif /* HAVE_TLS */ /* * We must already hold b->b_mutex when called. @@ -893,7 +897,9 @@ upstream_init( ber_socket_t s, LloadBackend *b ) CONNECTION_LOCK(c); c->c_private = b; +#ifdef HAVE_TLS c->c_is_tls = b->b_tls; +#endif c->c_pdu_cb = handle_one_response; LDAP_CIRCLEQ_INSERT_HEAD( &b->b_preparing, c, c_next ); @@ -924,10 +930,13 @@ upstream_init( ber_socket_t s, LloadBackend *b ) c->c_destroy = upstream_destroy; c->c_unlink = upstream_unlink; +#ifdef HAVE_TLS if ( c->c_is_tls == LLOAD_CLEARTEXT ) { +#endif /* HAVE_TLS */ if ( upstream_finish( c ) ) { goto fail; } +#ifdef HAVE_TLS } else if ( c->c_is_tls == LLOAD_LDAPS ) { event_assign( c->c_read_event, base, s, EV_READ|EV_PERSIST, upstream_tls_handshake_cb, c ); @@ -958,6 +967,7 @@ upstream_init( ber_socket_t s, LloadBackend *b ) event_add( c->c_read_event, c->c_read_timeout ); } } +#endif /* HAVE_TLS */ CONNECTION_UNLOCK(c); return c;