1LLOADD(8C) LLOADD(8C)
2
3
4
6 lloadd - LDAP Load Balancer Daemon
7
9 /usr/lib64/lloadd [-4|-6] [-d debug-level] [-f lloadd-config-file]
10 [-h URLs] [-n service-name] [-s syslog-level] [-l syslog-local-user]
11 [-o option[=value]] [-r directory] [-u user] [-g group]
12
14 Lloadd is the stand-alone LDAP daemon. It listens for LDAP connections
15 on any number of ports (default 389), forwarding the LDAP operations it
16 receives over these connections to be handled by the configured back‐
17 ends. lloadd is typically invoked at boot time, usually out of
18 /etc/rc.local. Upon startup, lloadd normally forks and disassociates
19 itself from the invoking tty. If configured in the config file, the
20 lloadd process will print its process ID (see getpid(2)) to a .pid
21 file, as well as the command line options during invocation to an .args
22 file (see lloadd.conf(5)). If the -d flag is given, even with a zero
23 argument, lloadd will not fork and disassociate from the invoking tty.
24
25 See the "OpenLDAP Administrator's Guide" for more details on lloadd.
26
28 -4 Listen on IPv4 addresses only.
29
30 -6 Listen on IPv6 addresses only.
31
32 -d debug-level
33 Turn on debugging as defined by debug-level. If this option is
34 specified, even with a zero argument, lloadd will not fork or
35 disassociate from the invoking terminal. Some general operation
36 and status messages are printed for any value of debug-level.
37 debug-level is taken as a bit string, with each bit correspond‐
38 ing to a different kind of debugging information. See
39 <ldap_log.h> for details. Comma-separated arrays of friendly
40 names can be specified to select debugging output of the corre‐
41 sponding debugging information. All the names recognized by the
42 loglevel directive described in lloadd.conf(5) are supported.
43 If debug-level is ?, a list of installed debug-levels is
44 printed, and lloadd exits.
45
46 Remember that if you turn on packet logging, packets containing
47 bind passwords will be output, so if you redirect the log to a
48 logfile, that file should be read-protected.
49
50 -s syslog-level
51 This option tells lloadd at what debug-level debugging state‐
52 ments should be logged to the syslog(8) facility. The value
53 syslog-level can be set to any value or combination allowed by
54 the -d switch. Lloadd logs all messages selected by syslog-
55 level at the syslog(3) severity debug-level DEBUG, on the unit
56 specified with -l.
57
58 -n service-name
59 Specifies the service name for logging and other purposes. De‐
60 faults to basename of argv[0], i.e.: "lloadd".
61
62 -l syslog-local-user
63 Selects the local user of the syslog(8) facility. Value can be
64 LOCAL0, through LOCAL7, as well as USER and DAEMON. The default
65 is LOCAL4. However, this option is only permitted on systems
66 that support local users with the syslog(8) facility. Logging
67 to syslog(8) occurs at the "DEBUG" severity debug-level.
68
69 -f lloadd-config-file
70 Specifies the lloadd configuration file. The default is
71 /etc/openldap/lloadd.conf.
72
73 -h URLlist
74 lloadd will by default serve ldap:/// (LDAP over TCP on all in‐
75 terfaces on default LDAP port). That is, it will bind using IN‐
76 ADDR_ANY and port 389. The -h option may be used to specify
77 LDAP (and other scheme) URLs to serve. For example, if lloadd
78 is given -h "ldap://127.0.0.1:9009/ ldaps:/// ldapi:///", it
79 will listen on 127.0.0.1:9009 for LDAP, 0.0.0.0:636 for LDAP
80 over TLS, and LDAP over IPC (Unix domain sockets). Host 0.0.0.0
81 represents INADDR_ANY (any interface). A space separated list
82 of URLs is expected. The URLs should be of the LDAP, PLDAP,
83 LDAPS, PLDAPS, or LDAPI schemes, and generally without a DN or
84 other optional parameters (excepting as discussed below). Sup‐
85 port for the latter three schemes depends on selected configura‐
86 tion options. Hosts may be specified by name or IPv4 and IPv6
87 address formats. Ports, if specified, must be numeric. The de‐
88 fault ldap:// port is 389 and the default ldaps:// port is 636,
89 same for the proxy enabled variants.
90
91 The PLDAP and PLDAPS URL schemes provide support for the HAProxy
92 proxy protocol version 2, which allows a load balancer or proxy
93 server to provide the remote client IP address to slapd to be
94 used for access control or logging. Ports configured for PLDAP
95 or PLDAPS will only accept connections that include the neces‐
96 sary proxy protocol header. Connections to these ports should be
97 restricted at the network level to only trusted load balancers
98 or proxies to avoid spoofing of client IP addresses by third
99 parties.
100
101 At the moment, the load balancer does not act on the recorded
102 address in any way.
103
104 For LDAP over IPC, name is the name of the socket, and no port
105 is required, nor allowed; note that directory separators must be
106 URL-encoded, like any other characters that are special to URLs;
107 so the socket
108
109 /usr/local/var/ldapi
110
111 must be specified as
112
113 ldapi://%2Fusr%2Flocal%2Fvar%2Fldapi
114
115 The default location for the IPC socket is /var/run/ldapi
116
117 -r directory
118 Specifies a directory to become the root directory. lloadd will
119 change the current working directory to this directory and then
120 chroot(2) to this directory. This is done after opening listen‐
121 ers but before reading any configuration file or initializing
122 any backend. When used as a security mechanism, it should be
123 used in conjunction with -u and -g options.
124
125 -u user
126 lloadd will run lloadd with the specified user name or id, and
127 that user's supplementary group access list as set with init‐
128 groups(3). The group ID is also changed to this user's gid, un‐
129 less the -g option is used to override. Note when used with -r,
130 lloadd will use the user database in the change root environ‐
131 ment.
132
133 -g group
134 lloadd will run with the specified group name or id. Note when
135 used with -r, lloadd will use the group database in the change
136 root environment.
137
138 -o option[=value]
139 This option provides a generic means to specify options without
140 the need to reserve a separate letter for them.
141
142 It supports the following options:
143
144 slp={on|off|slp-attrs}
145 When SLP support is compiled into lloadd, disable it
146 (off),
147 enable it by registering at SLP DAs without specific SLP
148 attributes (on), or with specific SLP attributes slp-at‐
149 trs that must be an SLP attribute list definition accord‐
150 ing to the SLP standard.
151
152 For example, "slp=(tree=production),(server-type=OpenL‐
153 DAP),(server-version=2.4.15)" registers at SLP DAs with
154 the three SLP attributes tree, server-type and server-
155 version that have the values given above. This allows
156 one to specifically query the SLP DAs for LDAP servers
157 holding the production tree in case multiple trees are
158 available.
159
160
162 Lloadd can be compiled as a slapd loadable module. In that case, it can
163 be loaded as such:
164
165 moduleload path/to/lloadd.la
166 backend lload
167 listen "listening URLs"
168
169 This enables lloadd to provide additional features through the host
170 slapd process like access to run-time statistics in cn=monitor and dy‐
171 namic configuration from cn=config.
172
173 The listening sockets specified will be under direct control of lloadd
174 and need to be different from the sockets slapd is configured to listen
175 on. Clients connecting to these are completely separate from regular
176 LDAP clients connecting to the usual slapd sockets - lloadd clients
177 have no access to slapd databases, similarly, slapd client traffic does
178 not propagate to the lloadd backend servers in any way.
179
180
182 As part of lloadd's cn=monitor interface it is possible to close a
183 client connection it manages by writing to the corresponding entry, re‐
184 placing the olmConnectionState attribute with the value closing. This
185 is subject to ACLs configured on the monitor database. The server will
186 send a Notice of Disconnection to the client, refuse any new operations
187 and once all pending operations have finished, close the connection.
188
189 For example, to close connection number 42:
190
191
192 dn: cn=connection 42,cn=incoming connections,cn=load balancer,cn=backends,cn=monitor
193 changetype: modify
194 replace: olmConnectionState
195 olmConnectionState: closing
196
197
199 To start lloadd and have it fork and detach from the terminal and start
200 load-balancing the LDAP servers defined in the default config file,
201 just type:
202
203 /usr/lib64/lloadd
204
205 To start lloadd with an alternate configuration file, and turn on volu‐
206 minous debugging which will be printed on standard error, type:
207
208 /usr/lib64/lloadd -f /var/tmp/lloadd.conf -d 255
209
210 To start lloadd as a module inside a slapd process listening on
211 ldap://:1389 and ldaps://, put the following in your slapd.conf (or its
212 equivalent in cn=config):
213
214 moduleload lloadd.la
215 backend lload
216 listen "ldap://:1389 ldaps://"
217
219 ldap(3), lloadd.conf(5), slapd-config(5), slapd-monitor(5), slapd(8).
220
221 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
222
224 See http://www.openldap.org/its/
225
227 OpenLDAP Software is developed and maintained by The OpenLDAP Project
228 <http://www.openldap.org/>. OpenLDAP Software is derived from the Uni‐
229 versity of Michigan LDAP 3.3 Release.
230
231
232
233OpenLDAP 2.6.6 2023/07/31 LLOADD(8C)