1LLOADD(8C)                                                          LLOADD(8C)
2
3
4

NAME

6       lloadd - LDAP Load Balancer Daemon
7

SYNOPSIS

9       /usr/lib64/lloadd   [-4|-6]   [-d debug-level]  [-f lloadd-config-file]
10       [-h URLs]  [-n service-name]  [-s syslog-level]  [-l syslog-local-user]
11       [-o option[=value]] [-r directory] [-u user] [-g group]
12

DESCRIPTION

14       Lloadd  is the stand-alone LDAP daemon. It listens for LDAP connections
15       on any number of ports (default 389), forwarding the LDAP operations it
16       receives  over  these connections to be handled by the configured back‐
17       ends.  lloadd is  typically  invoked  at  boot  time,  usually  out  of
18       /etc/rc.local.   Upon  startup, lloadd normally forks and disassociates
19       itself from the invoking tty.  If configured in the  config  file,  the
20       lloadd  process  will  print  its  process ID (see getpid(2)) to a .pid
21       file, as well as the command line options during invocation to an .args
22       file  (see  lloadd.conf(5)).  If the -d flag is given, even with a zero
23       argument, lloadd will not fork and disassociate from the invoking tty.
24
25       See the "OpenLDAP Administrator's Guide" for more details on lloadd.
26

OPTIONS

28       -4     Listen on IPv4 addresses only.
29
30       -6     Listen on IPv6 addresses only.
31
32       -d debug-level
33              Turn on debugging as defined by debug-level.  If this option  is
34              specified,  even  with  a zero argument, lloadd will not fork or
35              disassociate from the invoking terminal.  Some general operation
36              and  status  messages  are printed for any value of debug-level.
37              debug-level is taken as a bit string, with each bit  correspond‐
38              ing   to   a  different  kind  of  debugging  information.   See
39              <ldap_log.h> for details.  Comma-separated  arrays  of  friendly
40              names  can be specified to select debugging output of the corre‐
41              sponding debugging information.  All the names recognized by the
42              loglevel  directive  described  in lloadd.conf(5) are supported.
43              If debug-level  is  ?,  a  list  of  installed  debug-levels  is
44              printed, and lloadd exits.
45
46              Remember  that if you turn on packet logging, packets containing
47              bind passwords will be output, so if you redirect the log  to  a
48              logfile, that file should be read-protected.
49
50       -s syslog-level
51              This  option  tells  lloadd at what debug-level debugging state‐
52              ments should be logged to the  syslog(8)  facility.   The  value
53              syslog-level  can  be set to any value or combination allowed by
54              the -d switch.  Lloadd logs all  messages  selected  by  syslog-
55              level  at  the syslog(3) severity debug-level DEBUG, on the unit
56              specified with -l.
57
58       -n service-name
59              Specifies the service name for logging and other purposes.   De‐
60              faults to basename of argv[0], i.e.: "lloadd".
61
62       -l syslog-local-user
63              Selects  the  local user of the syslog(8) facility. Value can be
64              LOCAL0, through LOCAL7, as well as USER and DAEMON.  The default
65              is  LOCAL4.   However,  this option is only permitted on systems
66              that support local users with the syslog(8)  facility.   Logging
67              to syslog(8) occurs at the "DEBUG" severity debug-level.
68
69       -f lloadd-config-file
70              Specifies   the   lloadd  configuration  file.  The  default  is
71              /etc/openldap/lloadd.conf.
72
73       -h URLlist
74              lloadd will by default serve ldap:/// (LDAP over TCP on all  in‐
75              terfaces on default LDAP port).  That is, it will bind using IN‐
76              ADDR_ANY and port 389.  The -h option may  be  used  to  specify
77              LDAP  (and  other scheme) URLs to serve.  For example, if lloadd
78              is given -h  "ldap://127.0.0.1:9009/  ldaps:///  ldapi:///",  it
79              will  listen  on  127.0.0.1:9009  for LDAP, 0.0.0.0:636 for LDAP
80              over TLS, and LDAP over IPC (Unix domain sockets).  Host 0.0.0.0
81              represents  INADDR_ANY  (any interface).  A space separated list
82              of URLs is expected.  The URLs should be  of  the  LDAP,  PLDAP,
83              LDAPS,  PLDAPS,  or LDAPI schemes, and generally without a DN or
84              other optional parameters (excepting as discussed below).   Sup‐
85              port for the latter three schemes depends on selected configura‐
86              tion options. Hosts may be specified by name or  IPv4  and  IPv6
87              address formats.  Ports, if specified, must be numeric.  The de‐
88              fault ldap:// port is 389 and the default ldaps:// port is  636,
89              same for the proxy enabled variants.
90
91              The PLDAP and PLDAPS URL schemes provide support for the HAProxy
92              proxy protocol version 2, which allows a load balancer or  proxy
93              server  to  provide  the remote client IP address to slapd to be
94              used for access control or logging. Ports configured  for  PLDAP
95              or  PLDAPS  will only accept connections that include the neces‐
96              sary proxy protocol header. Connections to these ports should be
97              restricted  at  the network level to only trusted load balancers
98              or proxies to avoid spoofing of client  IP  addresses  by  third
99              parties.
100
101              At  the  moment,  the load balancer does not act on the recorded
102              address in any way.
103
104              For LDAP over IPC, name is the name of the socket, and  no  port
105              is required, nor allowed; note that directory separators must be
106              URL-encoded, like any other characters that are special to URLs;
107              so the socket
108
109                      /usr/local/var/ldapi
110
111              must be specified as
112
113                      ldapi://%2Fusr%2Flocal%2Fvar%2Fldapi
114
115              The default location for the IPC socket is /var/run/ldapi
116
117       -r directory
118              Specifies a directory to become the root directory.  lloadd will
119              change the current working directory to this directory and  then
120              chroot(2) to this directory.  This is done after opening listen‐
121              ers but before reading any configuration  file  or  initializing
122              any  backend.   When  used as a security mechanism, it should be
123              used in conjunction with -u and -g options.
124
125       -u user
126              lloadd will run lloadd with the specified user name or  id,  and
127              that  user's  supplementary  group access list as set with init‐
128              groups(3).  The group ID is also changed to this user's gid, un‐
129              less the -g option is used to override.  Note when used with -r,
130              lloadd will use the user database in the  change  root  environ‐
131              ment.
132
133       -g group
134              lloadd  will run with the specified group name or id.  Note when
135              used with -r, lloadd will use the group database in  the  change
136              root environment.
137
138       -o option[=value]
139              This  option provides a generic means to specify options without
140              the need to reserve a separate letter for them.
141
142              It supports the following options:
143
144              slp={on|off|slp-attrs}
145                     When SLP support is  compiled  into  lloadd,  disable  it
146                     (off),
147                      enable it by registering at SLP DAs without specific SLP
148                     attributes (on), or with specific SLP attributes  slp-at‐
149                     trs that must be an SLP attribute list definition accord‐
150                     ing to the SLP standard.
151
152                     For  example,  "slp=(tree=production),(server-type=OpenL‐
153                     DAP),(server-version=2.4.15)"  registers  at SLP DAs with
154                     the three SLP attributes tree,  server-type  and  server-
155                     version  that  have  the values given above.  This allows
156                     one to specifically query the SLP DAs  for  LDAP  servers
157                     holding  the  production  tree in case multiple trees are
158                     available.
159
160

RELATION TO SLAPD(8)

162       Lloadd can be compiled as a slapd loadable module. In that case, it can
163       be loaded as such:
164
165           moduleload path/to/lloadd.la
166           backend lload
167           listen "listening URLs"
168
169       This  enables  lloadd  to  provide additional features through the host
170       slapd process like access to run-time statistics in cn=monitor and  dy‐
171       namic configuration from cn=config.
172
173       The  listening sockets specified will be under direct control of lloadd
174       and need to be different from the sockets slapd is configured to listen
175       on.   Clients  connecting to these are completely separate from regular
176       LDAP clients connecting to the usual slapd  sockets  -  lloadd  clients
177       have no access to slapd databases, similarly, slapd client traffic does
178       not propagate to the lloadd backend servers in any way.
179
180

CN=MONITOR INTERFACE

182       As part of lloadd's cn=monitor interface it  is  possible  to  close  a
183       client connection it manages by writing to the corresponding entry, re‐
184       placing the olmConnectionState attribute with the value closing.   This
185       is  subject to ACLs configured on the monitor database. The server will
186       send a Notice of Disconnection to the client, refuse any new operations
187       and once all pending operations have finished, close the connection.
188
189       For example, to close connection number 42:
190
191
192           dn: cn=connection 42,cn=incoming connections,cn=load balancer,cn=backends,cn=monitor
193           changetype: modify
194           replace: olmConnectionState
195           olmConnectionState: closing
196
197

EXAMPLES

199       To start lloadd and have it fork and detach from the terminal and start
200       load-balancing the LDAP servers defined in  the  default  config  file,
201       just type:
202
203            /usr/lib64/lloadd
204
205       To start lloadd with an alternate configuration file, and turn on volu‐
206       minous debugging which will be printed on standard error, type:
207
208            /usr/lib64/lloadd -f /var/tmp/lloadd.conf -d 255
209
210       To start lloadd as  a  module  inside  a  slapd  process  listening  on
211       ldap://:1389 and ldaps://, put the following in your slapd.conf (or its
212       equivalent in cn=config):
213
214           moduleload lloadd.la
215           backend lload
216           listen "ldap://:1389 ldaps://"
217

SEE ALSO

219       ldap(3), lloadd.conf(5), slapd-config(5), slapd-monitor(5), slapd(8).
220
221       "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
222

BUGS

224       See http://www.openldap.org/its/
225

ACKNOWLEDGEMENTS

227       OpenLDAP Software is developed and maintained by The  OpenLDAP  Project
228       <http://www.openldap.org/>.  OpenLDAP Software is derived from the Uni‐
229       versity of Michigan LDAP 3.3 Release.
230
231
232
233OpenLDAP 2.6.6                    2023/07/31                        LLOADD(8C)
Impressum