1LLOADD.CONF(5) File Formats Manual LLOADD.CONF(5)
2
3
4
6 lloadd.conf - configuration file for lloadd, the stand-alone LDAP dae‐
7 mon
8
10 /etc/openldap/lloadd.conf
11
13 The file /etc/openldap/lloadd.conf contains configuration information
14 for the lloadd(8)daemon.
15
16 The lloadd.conf file consists of a series of global configuration op‐
17 tions that apply to lloadd as a whole (including all backends), fol‐
18 lowed by zero or more backend definitions that contain information spe‐
19 cific how a backend instance should be contacted. The configuration
20 options are case-insensitive; their value, on a case by case basis, may
21 be case-sensitive.
22
23 The general format of lloadd.conf is as follows:
24
25 # comment - these options apply to the server as a whole
26 <global configuration options>
27 # first backend definition
28 backend-server <backend 1 definition>
29 # subsequent backend definitions
30 ...
31
32 As many backend servers may be configured as desired.
33
34 If a line begins with white space, it is considered a continuation of
35 the previous line. No physical line should be over 2000 bytes long.
36
37 Blank lines and comment lines beginning with a `#' character are ig‐
38 nored. Note: continuation lines are unwrapped before comment process‐
39 ing is applied.
40
41 Arguments on configuration lines are separated by white space. If an
42 argument contains white space, the argument should be enclosed in dou‐
43 ble quotes. If an argument contains a double quote (`"') or a back‐
44 slash character (`\'), the character should be preceded by a backslash
45 character.
46
47 The specific configuration options available are discussed below in the
48 Global Configuration Options and General Backend Options. Refer to the
49 "OpenLDAP Administrator's Guide" for more details on the lloadd config‐
50 uration file.
51
52
54 Note that when lloadd is configured as a slapd module, any option that
55 shares the same name as an option in slapd.conf(5), the slapd interpre‐
56 tation wins and the lloadd option mentioned is unavailable through
57 slapd.conf(5) directly, instead, it would have to be configured via a
58 dedicated attribute in cn=config. In particular, unless the TLSShareS‐
59 lapdCTX option is set, lloadd keeps its own TLS context which cannot be
60 configured except through the dynamic configuration.
61
62 An additional option is available when running as a slapd module:
63
64 listen <listen URIs>
65 The URIs the Load Balancer module should listen on. Must not
66 overlap with the ones that slapd uses for its own listening
67 sockets. The related cn=config attribute is olcBkLloadListen
68 with each URI provided as a separate value. No changes to this
69 attribute made after the server has started up will take effect
70 until it is restarted.
71
72
74 Options described in this section apply to all backends. Arguments that
75 should be replaced by actual text are shown in brackets <>.
76
77 argsfile <filename>
78 The (absolute) name of a file that will hold the lloadd server's
79 command line (program name and options).
80
81 concurrency <integer>
82 Specify a desired level of concurrency. Provided to the under‐
83 lying thread system as a hint. The default is not to provide
84 any hint.
85
86 feature <feature> [...]
87 Switch additional features supported by the LDAP Load Balancer
88 on. Supported features are:
89 proxyauthz
90 when proxying an operation, pass the client's au‐
91 thorized identity using the proxy authorization
92 control (RFC 4370). No control is added to the op‐
93 eration if initiated by a client whose bound iden‐
94 tity matches the identity configured in bindconf
95 (no normalisation of the DN is attempted).
96
97 If SASL binds are issued by clients and this fea‐
98 ture is enabled, backend servers need to support
99 LDAP Who Am I? extended operation for the Load
100 Balancer to detect the correct authorization iden‐
101 tity.
102
103 include <filename>
104 Read additional configuration information from the given file
105 before continuing with the next line of the current file.
106
107 io-threads <integer>
108 Specify the number of threads to use for the connection manager.
109 The default is 1 and this is typically adequate for up to 16 CPU
110 cores. The value should be set to a power of 2.
111
112 If modified after server starts up, a change to this option will
113 not take effect until the server has been restarted.
114
115 logfile <filename>
116 Specify a file for recording lloadd debug messages. By default
117 these messages only go to stderr, are not recorded anywhere
118 else, and are unrelated to messages exposed by the
119
120 logfile-format debug | syslog-utc | syslog-localtime
121 Specify the prefix format for messages written to the logfile.
122 The debug format is the normal format used for slapd debug mes‐
123 sages, with a timestamp in hexadecimal, followed by a thread ID.
124 The other options are to use syslog(3) style prefixes, with
125 timestamps either in UTC or in the local timezone. The default
126 is debug format. loglevel configuration parameter. Specifying a
127 logfile copies messages to both stderr and the logfile.
128
129 logfile-only on | off
130 Specify that debug messages should only go to the configured
131 logfile, and not to stderr.
132
133 logfile-rotate <max> <Mbytes> <hours>
134 Specify automatic rotation for the configured logfile as the
135 maximum number of old logfiles to retain, a maximum size in
136 megabytes to allow a logfile to grow before rotation, and a max‐
137 imum age in hours for a logfile to be used before rotation. The
138 maximum number must be in the range 1-99. Setting Mbytes or
139 hours to zero disables the size or age check, respectively. At
140 least one of Mbytes or hours must be non-zero. By default no au‐
141 tomatic rotation will be performed.
142
143 loglevel <integer> [...]
144 Specify the level at which debugging statements and operation
145 statistics should be syslogged (currently logged to the sys‐
146 logd(8) LOG_LOCAL4 facility). They must be considered subsys‐
147 tems rather than increasingly verbose log levels. Some messages
148 with higher priority are logged regardless of the configured
149 loglevel as soon as any logging is configured. Log levels are
150 additive, and available levels are:
151 1 (0x1 trace) trace function calls
152 2 (0x2 packets) debug packet handling
153 4 (0x4 args) heavy trace debugging (function args)
154 8 (0x8 conns) connection management
155 16 (0x10 BER) print out packets sent and received
156 64 (0x40 config) configuration file processing
157 256 (0x100 stats) connections, LDAP operations, re‐
158 sults (recommended)
159 512 (0x200 stats2) stats log entries sent
160
161
162
163
164
165
166
167
168 32768 (0x8000 none) only messages that get logged what‐
169 ever log level is set
170 The desired log level can be input as a single integer that com‐
171 bines the (ORed) desired levels, both in decimal or in hexadeci‐
172 mal notation, as a list of integers (that are ORed internally),
173 or as a list of the names that are shown between parentheses,
174 such that
175
176 loglevel 513
177 loglevel 0x201
178 loglevel 512 1
179 loglevel 0x200 0x1
180 loglevel stats trace
181
182 are equivalent. The keyword any can be used as a shortcut to
183 enable logging at all levels (equivalent to -1). The keyword
184 none, or the equivalent integer representation, causes those
185 messages that are logged regardless of the configured loglevel
186 to be logged. In fact, if loglevel is set to 0, no logging oc‐
187 curs, so at least the none level is required to have high prior‐
188 ity messages logged.
189
190 The loglevel defaults to stats. This level should usually also
191 be included when using other loglevels, to help analyze the
192 logs.
193
194 pidfile <filename>
195 The (absolute) name of a file that will hold the lloadd server's
196 process ID (see getpid(2)).
197
198 sockbuf_max_incoming_client <integer>
199 Specify the maximum LDAP PDU size accepted coming from clients.
200 The default is 262143.
201
202 sockbuf_max_incoming_upstream <integer>
203 Specify the maximum LDAP PDU size accepted coming from upstream
204 connections. The default is 4194303.
205
206 tcp-buffer [listener=<URL>] [{read|write}=]<size>
207 Specify the size of the TCP buffer. A global value for both
208 read and write TCP buffers related to any listener is defined,
209 unless the listener is explicitly specified, or either the read
210 or write qualifiers are used. See tcp(7) for details. Note
211 that some OS-es implement automatic TCP buffer tuning.
212
213 threads <integer>
214 Specify the maximum size of the primary thread pool. The de‐
215 fault is 16; the minimum value is 2.
216
217 threadqueues <integer>
218 Specify the number of work queues to use for the primary thread
219 pool. The default is 1 and this is typically adequate for up to
220 8 CPU cores. The value should not exceed the number of CPUs in
221 the system.
222
223 max_pdus_per_cycle <integer>
224 If set to 0, PDUs are handled by the I/O threads directly, oth‐
225 erwise a task is queued to be picked up by the thread pool. This
226 task will process PDUs from the connection until there is no
227 more data to be read or this limit is reached when the I/O
228 thread can pick it up again. Very high values have a potential
229 to cause some connections to be starved in a very high-bandwidth
230 environment. The default is 1000.
231
232 client_max_pending <integer>
233 Will cause the load balancer to limit the number unfinished op‐
234 erations for each client connection. The default is 0, unlim‐
235 ited.
236
237 iotimeout <integer>
238 Specify the number of milliseconds to wait before forcibly clos‐
239 ing a connection with an outstanding write. This allows faster
240 recovery from various network hang conditions. An iotimeout of
241 0 disables this feature. The default is 10000.
242
243 write_coherence <integer>
244 Specify the number of seconds after a write operation is fin‐
245 ished that lloadd will direct operations exclusively to the last
246 selected backend. A write operation is anything not handled in‐
247 ternally (certain exops, abandon), except search, compare and
248 bind operations. Bind operations also reset this restriction.
249 The default is 0, write operations do not restrict selection.
250 When negative, the restriction is not time limited and will per‐
251 sist until the next bind.
252
253 restrict_exop <OID> <action>
254 Tell lloadd that extended operation with a given OID should be
255 handled in a specific way. OID 1.1 is special, setting a de‐
256 fault (only for operations not handled internally). The meaning
257 of the <action> argument is the same as in restrict_control be‐
258 low.
259
260 restrict_control <OID> <action>
261 Tell lloadd that a control with a given OID attached to any op‐
262 eration should be handled in a specific way according to the
263 <action> argument. At the moment, only operations passed intact
264 are inspected in this way, in particular, controls on bind and
265 extended operations are not checked.
266
267 In order of descending priority (the control with highest prior‐
268 ity action wins), this is the action made:
269 reject operations that carry this control will be re‐
270 jected.
271 connection
272 once an upstream is selected, every future opera‐
273 tion from this client will be directed to the same
274 connection. Useful when state is shared between
275 client and upstream that the load balancer doesn't
276 track.
277 backend
278 like write except this does not time out.
279 write this is treated like a write operation (see
280 write_coherence) above.
281 ignore does not influence restrictions, useful when
282 changing the global exop default. This is the de‐
283 fault handling for exops/controls not handled by
284 the load balancer internally.
285
286
288 If lloadd is built with support for Transport Layer Security, there are
289 more options you can specify.
290
291
292 TLSShareSlapdCTX { on | off }
293 If set to no (the default), lloadd will use its own TLS context
294 (needs to be configured via cn=config unless lloadd is run as a
295 standalone daemon). If enabled, the options for slapd apply in‐
296 stead, since the slapd's TLS context is used then.
297
298
299 The following options are available only when compiled as a standalone
300 daemon. When compiled as a slapd(8) module, the cn=config equivalents
301 need to be used if a separate TLS context for the module is needed,
302 otherwise use the TLSShareSlapdCTX option.
303
304
305 TLSCipherSuite <cipher-suite-spec>
306 Permits configuring what ciphers will be accepted and the pref‐
307 erence order. <cipher-suite-spec> should be a cipher specifica‐
308 tion for the TLS library in use (OpenSSL, GnuTLS, or Mozilla
309 NSS). Example:
310
311 OpenSSL:
312 TLSCipherSuite HIGH:MEDIUM:+SSLv2
313
314 GnuTLS:
315 TLSCiphersuite SECURE256:!AES-128-CBC
316
317 To check what ciphers a given spec selects in OpenSSL, use:
318
319 openssl ciphers -v <cipher-suite-spec>
320
321 With GnuTLS the available specs can be found in the manual page
322 of gnutls-cli(1) (see the description of the option --priority).
323
324 In older versions of GnuTLS, where gnutls-cli does not support
325 the option --priority, you can obtain the — more limited — list
326 of ciphers by calling:
327
328 gnutls-cli -l
329
330 When using Mozilla NSS, the OpenSSL cipher suite specifications
331 are used and translated into the format used internally by
332 Mozilla NSS. There isn't an easy way to list the cipher suites
333 from the command line. The authoritative list is in the source
334 code for Mozilla NSS in the file sslinfo.c in the structure
335 static const SSLCipherSuiteInfo suiteInfo[]
336
337 TLSCACertificateFile <filename>
338 Specifies the file that contains certificates for all of the
339 Certificate Authorities that lloadd will recognize. The cer‐
340 tificate for the CA that signed the server certificate must be
341 included among these certificates. If the signing CA was not a
342 top-level (root) CA, certificates for the entire sequence of
343 CA's from the signing CA to the top-level CA should be present.
344 Multiple certificates are simply appended to the file; the order
345 is not significant.
346
347 TLSCACertificatePath <path>
348 Specifies the path of a directory that contains Certificate Au‐
349 thority certificates in separate individual files. Usually only
350 one of this or the TLSCACertificateFile is used. This directive
351 is not supported when using GnuTLS.
352
353 When using Mozilla NSS, <path> may contain a Mozilla NSS
354 cert/key database. If <path> contains a Mozilla NSS cert/key
355 database and CA cert files, OpenLDAP will use the cert/key data‐
356 base and will ignore the CA cert files.
357
358 TLSCertificateFile <filename>
359 Specifies the file that contains the lloadd server certificate.
360
361 When using Mozilla NSS, if using a cert/key database (specified
362 with TLSCACertificatePath), TLSCertificateFile specifies the
363 name of the certificate to use:
364 TLSCertificateFile Server-Cert
365 If using a token other than the internal built in token, specify
366 the token name first, followed by a colon:
367 TLSCertificateFile my hardware device:Server-Cert
368 Use certutil -L to list the certificates by name:
369 certutil -d /path/to/certdbdir -L
370
371 TLSCertificateKeyFile <filename>
372 Specifies the file that contains the lloadd server private key
373 that matches the certificate stored in the TLSCertificateFile
374 file. Currently, the private key must not be protected with a
375 password, so it is of critical importance that it is protected
376 carefully.
377
378 When using Mozilla NSS, TLSCertificateKeyFile specifies the name
379 of a file that contains the password for the key for the cer‐
380 tificate specified with TLSCertificateFile. The modutil command
381 can be used to turn off password protection for the cert/key
382 database. For example, if TLSCACertificatePath specifies
383 /etc/openldap/certdb as the location of the cert/key database,
384 use modutil to change the password to the empty string:
385 modutil -dbdir /etc/openldap/certdb -changepw 'NSS Certificate DB'
386 You must have the old password, if any. Ignore the WARNING
387 about the running browser. Press 'Enter' for the new password.
388
389 TLSDHParamFile <filename>
390 This directive specifies the file that contains parameters for
391 Diffie-Hellman ephemeral key exchange. This is required in or‐
392 der to use a DSA certificate on the server, or an RSA certifi‐
393 cate missing the "key encipherment" key usage. Note that set‐
394 ting this option may also enable Anonymous Diffie-Hellman key
395 exchanges in certain non-default cipher suites. Anonymous key
396 exchanges should generally be avoided since they provide no ac‐
397 tual client or server authentication and provide no protection
398 against man-in-the-middle attacks. You should append "!ADH" to
399 your cipher suites to ensure that these suites are not used.
400 When using Mozilla NSS these parameters are always generated
401 randomly so this directive is ignored.
402
403 TLSECName <name>
404 Specify the name of a curve to use for Elliptic curve Diffie-
405 Hellman ephemeral key exchange. This is required to enable
406 ECDHE algorithms in OpenSSL. This option is not used with
407 GnuTLS; the curves may be chosen in the GnuTLS ciphersuite spec‐
408 ification. This option is also ignored for Mozilla NSS.
409
410 TLSProtocolMin <major>[.<minor>]
411 Specifies minimum SSL/TLS protocol version that will be negoti‐
412 ated. If the server doesn't support at least that version, the
413 SSL handshake will fail. To require TLS 1.x or higher, set this
414 option to 3.(x+1), e.g.,
415
416 TLSProtocolMin 3.2
417
418 would require TLS 1.1. Specifying a minimum that is higher than
419 that supported by the OpenLDAP implementation will result in it
420 requiring the highest level that it does support. This direc‐
421 tive is ignored with GnuTLS.
422
423 TLSRandFile <filename>
424 Specifies the file to obtain random bits from when /dev/[u]ran‐
425 dom is not available. Generally set to the name of the
426 EGD/PRNGD socket. The environment variable RANDFILE can also be
427 used to specify the filename. This directive is ignored with
428 GnuTLS and Mozilla NSS.
429
430 TLSVerifyClient <level>
431 Specifies what checks to perform on client certificates in an
432 incoming TLS session, if any. The <level> can be specified as
433 one of the following keywords:
434
435 never This is the default. lloadd will not ask the client for
436 a certificate.
437
438 allow The client certificate is requested. If no certificate
439 is provided, the session proceeds normally. If a bad
440 certificate is provided, it will be ignored and the ses‐
441 sion proceeds normally.
442
443 try The client certificate is requested. If no certificate
444 is provided, the session proceeds normally. If a bad
445 certificate is provided, the session is immediately ter‐
446 minated.
447
448 demand | hard | true
449 These keywords are all equivalent, for compatibility rea‐
450 sons. The client certificate is requested. If no cer‐
451 tificate is provided, or a bad certificate is provided,
452 the session is immediately terminated.
453
454 TLSCRLCheck <level>
455 Specifies if the Certificate Revocation List (CRL) of the
456 CA should be used to verify if the client certificates
457 have not been revoked. This requires TLSCACertificatePath
458 parameter to be set. This directive is ignored with
459 GnuTLS and Mozilla NSS. <level> can be specified as one
460 of the following keywords:
461
462 none No CRL checks are performed
463
464 peer Check the CRL of the peer certificate
465
466 all Check the CRL for a whole certificate chain
467
468 TLSCRLFile <filename>
469 Specifies a file containing a Certificate Revocation List
470 to be used for verifying that certificates have not been
471 revoked. This directive is only valid when using GnuTLS
472 and Mozilla NSS.
473
474
476 Options in this section describe how the lloadd connects and authenti‐
477 cates to the backend servers. Backends are organised in groups (tiers).
478 Backends in the first tier are tried first, if none of them are reach‐
479 able, the following tier is tried in the same way. If there is a back‐
480 end in the tier that has suitable connections, but they are busy, no
481 further tier is consulted. This is useful in high availability scenar‐
482 ios where a group of servers (e.g. the local environment) should be
483 contacted if possible.
484
485 It is assumed all backend servers serve the same data. On startup, the
486 configured connections are set up and those not dedicated to handle
487 bind requests are authenticated with the backend using the information
488 in the bindconf option. The authentication configuration is shared be‐
489 tween them.
490
491 bindconf
492 [bindmethod=simple|sasl] [binddn=<dn>] [saslmech=<mech>] [auth‐
493 cid=<identity>] [authzid=<identity>] [credentials=<passwd>]
494 [realm=<realm>] [secprops=<properties>] [timeout=<seconds>]
495 [network-timeout=<seconds>] [tcp-user-timeout=<milliseconds>]
496
497 Specifies the bind credentials lloadd uses when setting up its
498 regular connections to all backends.
499
500 A bindmethod of simple requires the options binddn and creden‐
501 tials and should only be used when adequate security services
502 (e.g. TLS or IPSEC) are in place. REMEMBER: simple bind creden‐
503 tials must be in cleartext! A bindmethod of sasl requires the
504 option saslmech. Depending on the mechanism, an authentication
505 identity and/or credentials can be specified using authcid and
506 credentials. The authzid parameter may be used to specify an
507 authorization identity. Specific security properties (as with
508 the sasl-secprops keyword above) for a SASL bind can be set with
509 the secprops option. A non default SASL realm can be set with
510 the realm option.
511
512 The timeout parameter indicates how long an operation can be
513 pending a response (result, search entry, ...) from the server
514 in seconds. Due to how timeouts are detected, the timeout might
515 not be detected and handled up to timeout seconds after it hap‐
516 pens.
517
518 The network-timeout parameter sets how long the consumer will
519 wait to establish a network connection to the provider. Once a
520 connection is established, the timeout parameter determines how
521 long the consumer will wait for the initial Bind request to com‐
522 plete.
523
524 Timeout set to 0 means no timeout is in effect and by default,
525 no timeouts are in effect.
526
527 The tcp-user-timeout parameter, if non-zero, corresponds to the
528 TCP_USER_TIMEOUT set on the upstream connections, overriding the
529 operating system setting. Only some systems support the cus‐
530 tomization of this parameter, it is ignored otherwise and sys‐
531 tem-wide settings are used.
532
533
535 tier <tier type>
536
537 Groups servers which should be considered in the same try. If a
538 viable connection is found even if busy, the load balancer does
539 not proceed to the next tier. The process of selection a connec‐
540 tion within a tier depends on the tier's type.
541
542 Available types are:
543
544 roundrobin
545 Servers are tried in order and if one is selected successfully,
546 the following search will try from the one next on the list.
547
548 weighted
549 Backend servers accept a new option weight=<int> which indicates
550 how often it should be selected. If unspecified, weight defaults
551 to 0 and such backends have a slight chance of being selected
552 even when a non-zero weight backend is configured in the tier.
553 The selection process is along the lines of RFC2782.
554
555 bestof Like with weighted, backends accept the weight=<int> option. Av‐
556 erage latency multiplied by weight is measured over time. The
557 selection process chooses 2 backends at random, compares their
558 weighted latencies and the backend with a better (lower) score
559 is tried. If the backend is not available (or is busy), the
560 other backend is tried, then backends are chosen in a round-
561 robin order.
562
563 Note that unlike weighted, the higher the weight, the higher the
564 "effective" latency and lower the chance a backend is selected.
565
566
568 backend-server
569 uri=ldap[s]://<hostname>[:port] [retry=<retry interval in ms>]
570 [keepalive=<idle>:<probes>:<interval>] [starttls=yes|critical]
571 [tls_cert=<file>] [tls_key=<file>] [tls_cacert=<file>] [tls_cac‐
572 ertdir=<path>] [tls_reqcert=never|allow|try|demand] [tls_ci‐
573 pher_suite=<ciphers>] [tls_crlcheck=none|peer|all] [tls_proto‐
574 col_min=<major>[.<minor>]] [numconns=<conns>] [bind‐
575 conns=<conns>] [max-pending-ops=<ops>] [conn-max-pending=<ops>]
576
577 Marks the beginning of a backend definition.
578
579 uri specifies the backend as an LDAP URI. If <port> is not
580 given, the standard LDAP port number (389 or 636) is used.
581
582 Lloadd will attempt to maintain numconns active connections and
583 also bindconns active connections dedicated to handling client
584 bind requests.
585
586 If an error occurs on a working connection, a new connection at‐
587 tempt is made immediately, if one happens on establishing a new
588 connection to this backend, lloadd will wait before a new recon‐
589 nect attempt is made according to the retry parameter (default
590 is 5 seconds).
591
592 Operations will be distributed across the backend's connections
593 (upstreams).
594
595 The parameter conn-max-pending unless set to 0 (the default),
596 will limit the number unfinished operations per upstream connec‐
597 tion. Similarly, max-pending-ops will limit the total number or
598 unfinished operations across all backend's connections, 0, the
599 default, means no limit will be imposed for this backend.
600
601 The keepalive parameter sets the values of idle, probes, and in‐
602 terval used to check whether a socket is alive; idle is the num‐
603 ber of seconds a connection needs to remain idle before TCP
604 starts sending keepalive probes; probes is the maximum number of
605 keepalive probes TCP should send before dropping the connection;
606 interval is interval in seconds between individual keepalive
607 probes. Only some systems support the customization of these
608 values; the keepalive parameter is ignored otherwise, and sys‐
609 tem-wide settings are used.
610
611 The starttls parameter specifies use of the StartTLS extended
612 operation to establish a TLS session before Binding to the
613 provider. If the critical argument is supplied, the session will
614 be aborted if the StartTLS request fails. Otherwise the syncrepl
615 session continues without TLS. The tls_reqcert setting defaults
616 to "demand" and the other TLS settings default to the same as
617 the main slapd TLS settings.
618
619
620
622 Here is a short example of a configuration file:
623
624 argsfile /var/run/lloadd.args
625 pidfile /var/run/lloadd.pid
626
627 # cancel not supported yet
628 restrict_exop 1.3.6.1.1.8 reject
629
630 # turn not supported
631 restrict_exop 1.3.6.1.1.19 reject
632
633 # TXN Exop if desired, otherwise reject
634 restrict_exop 1.3.6.1.1.21.1 connection
635
636 # Paged results control
637 restrict_control 1.2.840.113556.1.4.319 connection
638
639 # VLV control
640 restrict_control 2.16.840.1.113730.3.4.9 connection
641
642 bindconf
643 bindmethod=simple
644 binddn=cn=test
645 credentials=pass
646
647 tier weighted
648 backend-server
649 uri=ldap://ldap1.example.com
650 numconns=3
651 bindconns=2
652 retry=5000
653 max-pending-ops=5
654 conn-max-pending=3
655 weight=5
656
657 backend-server
658 uri=ldap://ldap2.example.com
659 numconns=3
660 bindconns=2
661 retry=5000
662 max-pending-ops=5
663 conn-max-pending=3
664 weight=10
665
666 "OpenLDAP Administrator's Guide" contains a longer annotated example of
667 a configuration file. The original /etc/openldap/lloadd.conf is an‐
668 other example.
669
670
672 Support for proxying SASL Binds is limited to the EXTERNAL mechanism
673 (and only to extract the DN of a client TLS cerificate if used during
674 the last renegotiation) and mechanisms that rely neither on connection
675 metadata (as Kerberos does) nor establish a SASL integrity/confiden‐
676 tialiy layer (again, some Kerberos mechanisms, DIGEST-MD5 can negotiate
677 this).
678
679
681 /etc/openldap/lloadd.conf
682 default lloadd configuration file
683
685 ldap(3), gnutls-cli(1), slapd.conf(5), tcp(7), lloadd(8), slapd(8).
686
687 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
688
690 OpenLDAP Software is developed and maintained by The OpenLDAP Project
691 <http://www.openldap.org/>. OpenLDAP Software is derived from the Uni‐
692 versity of Michigan LDAP 3.3 Release.
693
694
695
696OpenLDAP 2.6.2 2022/05/04 LLOADD.CONF(5)