Add optional PoolOnly configuration for LDAP

This commit introduces an optional LDAP configuration setting: PoolOnly. When enabled, it bypasses the creation and close operations of channels and goroutines related to authentication (LDAPAuth). Furthermore, the commit ensures PoolOnly is checked before executing context and worker processes, improving efficiency for applications that do not require the LDAP authentication feature. Signed-off-by: Christian Roessner <c@roessner.co>
croessner · May 15, 2024 · ba7bbc5 · ba7bbc5
1 parent 866375d
commit ba7bbc5
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 18 deletions.
diff --git a/server/config/file.go b/server/config/file.go
@@ -910,6 +910,18 @@ func (f *File) validateSecrets() error {
 	return nil
 }
 
+// LDAPHavePoolOnly is a method on the File struct.
+// It checks if the LDAP field and LDAP.Config field are not nil,
+// and returns the value of LDAP.Config.PoolOnly.
+// Otherwise, it returns false.
+func (f *File) LDAPHavePoolOnly() bool {
+	if f.LDAP != nil && f.LDAP.Config != nil {
+		return f.LDAP.Config.PoolOnly
+	}
+
+	return false
+}
+
 // validatePassDBBackends is a method on the File struct.
 // It validates the Backend backends defined in the EnvConfig.
 // If any of the validations fail, it returns the corresponding error.
@@ -932,7 +944,7 @@ func (f *File) validatePassDBBackends() error {
 				return errors.ErrNoLDAPConfig
 			}
 
-			if len(f.LDAP.Search) == 0 {
+			if !f.LDAP.Config.PoolOnly && len(f.LDAP.Search) == 0 {
 				return errors.ErrNoLDAPSearchSection
 			}
 

diff --git a/server/config/ldap.go b/server/config/ldap.go
@@ -33,6 +33,7 @@ func (l *LDAPSection) GetProtocols() any {
 }
 
 type LDAPConf struct {
+	PoolOnly      bool `mapstructure:"pool_only"`
 	StartTLS      bool
 	TLSSkipVerify bool `mapstructure:"tls_skip_verify"`
 	SASLExternal  bool `mapstructure:"sasl_external"`

diff --git a/server/core/auth.go b/server/core/auth.go
@@ -1446,7 +1446,9 @@ func (a *Authentication) handleBackendTypes() (useCache bool, backendPos map[glo
 				useCache = true
 			}
 		case global.BackendLDAP:
-			passDBs = a.appendBackend(passDBs, global.BackendLDAP, ldapPassDB)
+			if !config.LoadableConfig.LDAPHavePoolOnly() {
+				passDBs = a.appendBackend(passDBs, global.BackendLDAP, ldapPassDB)
+			}
 		case global.BackendLua:
 			passDBs = a.appendBackend(passDBs, global.BackendLua, luaPassDB)
 		case global.BackendUnknown:
@@ -1733,10 +1735,12 @@ func (a *Authentication) listUserAccounts() (accountList AccountList) {
 	for _, backendType := range config.LoadableConfig.Server.Backends {
 		switch backendType.Get() {
 		case global.BackendLDAP:
-			accounts = append(accounts, &AccountListMap{
-				global.BackendLDAP,
-				ldapAccountDB,
-			})
+			if !config.LoadableConfig.LDAPHavePoolOnly() {
+				accounts = append(accounts, &AccountListMap{
+					global.BackendLDAP,
+					ldapAccountDB,
+				})
+			}
 		case global.BackendLua:
 			accounts = append(accounts, &AccountListMap{
 				global.BackendLua,

diff --git a/server/main.go b/server/main.go
@@ -358,12 +358,16 @@ func handleBackend(passDB *config.Backend) {
 	switch passDB.Get() {
 	case global.BackendLDAP:
 		<-backend.LDAPEndChan
-		<-backend.LDAPAuthEndChan
 
 		close(backend.LDAPEndChan)
-		close(backend.LDAPAuthEndChan)
 		close(backend.LDAPRequestChan)
-		close(backend.LDAPAuthRequestChan)
+
+		if !config.LoadableConfig.LDAPHavePoolOnly() {
+			<-backend.LDAPAuthEndChan
+
+			close(backend.LDAPAuthEndChan)
+			close(backend.LDAPAuthRequestChan)
+		}
 	case global.BackendLua:
 		<-backend.LuaMainWorkerEndChan
 
@@ -383,9 +387,11 @@ func handleLDAPBackend(lookup, auth *contextTuple) {
 
 	<-backend.LDAPEndChan
 
-	stopContext(auth)
+	if !config.LoadableConfig.LDAPHavePoolOnly() {
+		stopContext(auth)
 
-	<-backend.LDAPAuthEndChan
+		<-backend.LDAPAuthEndChan
+	}
 }
 
 // handleLuaBackend receives a contextTuple as a parameter.
@@ -457,7 +463,10 @@ func startActionWorker(actionWorkers []*action.Worker, act *contextTuple) {
 // The function spawns goroutines for the LDAPMainWorker and LDAPAuthWorker functions from the backend package, passing the associated context to each worker.
 func startLDAPWorkers(store *contextStore) {
 	go backend.LDAPMainWorker(store.ldapLookup.ctx)
-	go backend.LDAPAuthWorker(store.ldapAuth.ctx)
+
+	if !config.LoadableConfig.LDAPHavePoolOnly() {
+		go backend.LDAPAuthWorker(store.ldapAuth.ctx)
+	}
 }
 
 // startLuaWorker starts a goroutine that runs the backend.LuaMainWorker function
@@ -546,7 +555,9 @@ func handleReload(ctx context.Context, store *contextStore, sig os.Signal, ngxMo
 		switch backendType.Get() {
 		case global.BackendLDAP:
 			store.ldapLookup = newContextTuple(ctx)
-			store.ldapAuth = newContextTuple(ctx)
+			if !config.LoadableConfig.LDAPHavePoolOnly() {
+				store.ldapAuth = newContextTuple(ctx)
+			}
 
 			startLDAPWorkers(store)
 		case global.BackendLua:
@@ -615,15 +626,18 @@ func setupWorkers(ctx context.Context, store *contextStore, actionWorkers []*act
 // - `ctx`: The context under which the LDAP workers should operate
 func setupLDAPWorker(store *contextStore, ctx context.Context) {
 	lookupPoolSize := config.LoadableConfig.LDAP.Config.LookupPoolSize
-	authPoolSize := config.LoadableConfig.LDAP.Config.AuthPoolSize
 
 	backend.LDAPRequestChan = make(chan *backend.LDAPRequest, lookupPoolSize)
-	backend.LDAPAuthRequestChan = make(chan *backend.LDAPAuthRequest, authPoolSize)
 	backend.LDAPEndChan = make(chan backend.Done)
-	backend.LDAPAuthEndChan = make(chan backend.Done)
-
 	store.ldapLookup = newContextTuple(ctx)
-	store.ldapAuth = newContextTuple(ctx)
+
+	if !config.LoadableConfig.LDAPHavePoolOnly() {
+		authPoolSize := config.LoadableConfig.LDAP.Config.AuthPoolSize
+
+		backend.LDAPAuthRequestChan = make(chan *backend.LDAPAuthRequest, authPoolSize)
+		backend.LDAPAuthEndChan = make(chan backend.Done)
+		store.ldapAuth = newContextTuple(ctx)
+	}
 
 	startLDAPWorkers(store)
 }