ldap/servers/plugins/acl/acl.c | 40 ++++++++++++++++++++++++++--------------
1 file changed, 26 insertions(+), 14 deletions(-)
New commits:
commit 24d1817f75daad3b45f13e38935c14d0b55c9af9
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Thu Dec 5 13:15:45 2013 -0800
Ticket #342 - better error message when cache overflows (phase 2)
Description: commit 892bf12c1bb8b10afea3d6ff711059bf04e362cc only
logs detailed cache overflow message on the allow ACIs. This patch
logs the same message when the cache overflow occurs on the deny
ACIs.
https://fedorahosted.org/389/ticket/342
Reviewed by rmeggins (Thank you, Rich!!)
diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c
index 90ea0c1..a8b4dde 100644
--- a/ldap/servers/plugins/acl/acl.c
+++ b/ldap/servers/plugins/acl/acl.c
@@ -2807,16 +2807,16 @@ acl__TestRights(Acl_PBlock *aclpb,int access, const char **right,
const char **
if (access & ( SLAPI_ACL_SEARCH | SLAPI_ACL_READ)) {
- /* We can not reused results obtained on a other entry */
- if (aci->aci_type & ACI_CACHE_RESULT_PER_ENTRY) {
- aclpb->aclpb_state |=
ACLPB_CACHE_RESULT_PER_ENTRY_SKIP;
- }
+ /* We can not reused results obtained on a other entry */
+ if (aci->aci_type & ACI_CACHE_RESULT_PER_ENTRY) {
+ aclpb->aclpb_state |= ACLPB_CACHE_RESULT_PER_ENTRY_SKIP;
+ }
/*
* aclpb->aclpb_cache_result[0..aclpb->aclpb_last_cache_result] is
* a cache of info about whether applicable acis
* allowed, did_not_allow or denied access
- */
+ */
for (j =0; j < aclpb->aclpb_last_cache_result; j++) {
if (index == aclpb->aclpb_cache_result[j].aci_index) {
short result;
@@ -2919,15 +2919,28 @@ acl__TestRights(Acl_PBlock *aclpb,int access, const char **right,
const char **
if ( j < aclpb->aclpb_last_cache_result) {
/* already in cache */
+ aclpb->aclpb_cache_result[j].result &= ~ACLPB_CACHE_ERROR_REPORTED;
} else if ( j < aclpb_max_cache_results ) {
/* j == aclpb->aclpb_last_cache_result &&
j < ACLPB_MAX_CACHE_RESULTS */
aclpb->aclpb_last_cache_result++;
aclpb->aclpb_cache_result[j].aci_index = index;
aclpb->aclpb_cache_result[j].aci_ruleType = aci->aci_ruleType;
-
+ aclpb->aclpb_cache_result[j].result &= ~ACLPB_CACHE_ERROR_REPORTED;
} else { /* cache overflow */
- if ( rights_rv == ACL_RES_DENY) {
+ if (!(aclpb->aclpb_cache_result[j].result &
+ ACLPB_CACHE_ERROR_REPORTED)) {
+ slapi_log_error (SLAPI_LOG_FATAL, "acl__TestRights",
+ "Your ACL cache of %d slots has overflowed. "
+ "This can happen when you have many ACIs. "
+ "This ACI evaluation requires %d slots to cache. "
+ "You can increase your max value by setting the attribute "
+ "%s in cn=ACL Plugin,cn=plugins,cn=config to a value higher. "
+ "A server restart is required.\n",
+ j, aclpb_max_cache_results, ATTR_ACLPB_MAX_SELECTED_ACLS);
+ aclpb->aclpb_cache_result[j].result |= ACLPB_CACHE_ERROR_REPORTED;
+ }
+ if (rights_rv == ACL_RES_DENY) {
result_reason->deciding_aci = aci;
result_reason->reason = ACL_REASON_EVALUATED_DENY;
TNF_PROBE_1_DEBUG(acl__TestRights_end,"ACL","",
@@ -2986,8 +2999,7 @@ acl__TestRights(Acl_PBlock *aclpb,int access, const char **right,
const char **
return ACL_RES_DENY;
}
}
- }
-
+ } /* for (i=0, k=0; i < numHandles && k <
aclpb->aclpb_num_deny_handles; ++i) */
/*
** START PROCESSING ALLOW HANDLES.
@@ -3023,10 +3035,10 @@ acl__TestRights(Acl_PBlock *aclpb,int access, const char **right,
const char **
if (access & ( SLAPI_ACL_SEARCH | SLAPI_ACL_READ)) {
- /* We can not reused results obtained on a other entry */
- if (aci->aci_type & ACI_CACHE_RESULT_PER_ENTRY) {
- aclpb->aclpb_state |=
ACLPB_CACHE_RESULT_PER_ENTRY_SKIP;
- }
+ /* We can not reused results obtained on a other entry */
+ if (aci->aci_type & ACI_CACHE_RESULT_PER_ENTRY) {
+ aclpb->aclpb_state |= ACLPB_CACHE_RESULT_PER_ENTRY_SKIP;
+ }
/*
* aclpb->aclpb_cache_result[0..aclpb->aclpb_last_cache_result] is
* a cache of info about whether applicable acis
@@ -3198,7 +3210,7 @@ acl__TestRights(Acl_PBlock *aclpb,int access, const char **right,
const char **
return ACL_RES_ALLOW;
}
}
- }/* for */
+ } /* for (i=0, k=0; i < numHandles && k <
aclpb->aclpb_num_allow_handles ; ++i) { */
result_reason->deciding_aci = aci;
result_reason->reason = ACL_REASON_NO_MATCHED_SUBJECT_ALLOWS;