[389-commits] Branch 'Directory_Server_8_2_Branch' - ldap/servers
Nathan Kinder
nkinder at fedoraproject.org
Thu May 20 21:52:55 UTC 2010
ldap/servers/slapd/bind.c | 11 +++++++++++
ldap/servers/slapd/daemon.c | 28 +++++++++++++++++++++++++---
2 files changed, 36 insertions(+), 3 deletions(-)
New commits:
commit 4f83c2672f6cc0a1ac5eecb73f577da48b597c5d
Author: Nathan Kinder <nkinder at redhat.com>
Date: Thu May 20 14:08:33 2010 -0700
Bug 592389 - Set anonymous resource limits properly
The anonymous resource limits were not being properly set. This
patch ensures that the limits are set properly when an anonymous
or unauthenticated BIND operation is performed. It also sets the
anonymous limits when we do a read on a connection that has not
yet perfomed a BIND. These limits will be overwritten with any
default or user-based limits once a valid BIND is performed.
diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
index 3e02e0c..4236530 100644
--- a/ldap/servers/slapd/bind.c
+++ b/ldap/servers/slapd/bind.c
@@ -522,6 +522,10 @@ do_bind( Slapi_PBlock *pb )
goto free_and_return;
}
+ /* set the bind credentials so anonymous limits are set */
+ bind_credentials_set( pb->pb_conn, SLAPD_AUTH_NONE,
+ NULL, NULL, NULL, NULL , NULL);
+
/* call preop plugins */
if (plugin_call_plugins( pb, SLAPI_PLUGIN_PRE_BIND_FN ) == 0){
if ( auth_response_requested ) {
@@ -698,6 +702,9 @@ do_bind( Slapi_PBlock *pb )
authtype = SLAPD_AUTH_OS;
}
#endif /* ENABLE_AUTOBIND */
+ else {
+ authtype = SLAPD_AUTH_NONE;
+ }
break;
case LDAP_AUTH_SASL:
/* authtype = SLAPD_AUTH_SASL && saslmech: */
@@ -719,6 +726,10 @@ do_bind( Slapi_PBlock *pb )
slapi_sdn_get_ndn(&sdn));
}
} else { /* anonymous */
+ /* set bind creds here so anonymous limits are set */
+ bind_credentials_set( pb->pb_conn, authtype, NULL,
+ NULL, NULL, NULL, NULL );
+
if ( auth_response_requested ) {
slapi_add_auth_response_control( pb,
"" );
diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c
index 3b8986c..fcd8049 100644
--- a/ldap/servers/slapd/daemon.c
+++ b/ldap/servers/slapd/daemon.c
@@ -1300,14 +1300,36 @@ compute_idletimeout( slapdFrontendConfig_t *fecfg, Connection *conn )
if ( slapi_reslimit_get_integer_limit( conn, idletimeout_reslimit_handle,
&idletimeout ) != SLAPI_RESLIMIT_STATUS_SUCCESS ) {
/*
- * no limit associated with binder/connection or some other error
- * occurred. use the default idle timeout.
+ * No limit associated with binder/connection or some other error
+ * occurred. If the user is anonymous and anonymous limits are
+ * set, attempt to set the bind based resource limits. We do this
+ * here since a BIND operation is not required prior to other
+ * operations. We want to set the anonymous limits early on so
+ * that they are put into effect if a BIND is never sent. If
+ * this is not an anonymous user and no bind-based limits are set,
+ * use the default idle timeout.
*/
- if ( conn->c_isroot ) {
+ char *anon_dn = config_get_anon_limits_dn();
+
+ if ((conn->c_dn == NULL) && anon_dn && (strlen(anon_dn) > 0)) {
+ Slapi_DN *anon_sdn = slapi_sdn_new_dn_byref( anon_dn );
+
+ reslimit_update_from_dn( conn, anon_sdn );
+
+ if ( slapi_reslimit_get_integer_limit( conn,
+ idletimeout_reslimit_handle, &idletimeout ) !=
+ SLAPI_RESLIMIT_STATUS_SUCCESS ) {
+ idletimeout = fecfg->idletimeout;
+ }
+
+ slapi_sdn_free( &anon_sdn );
+ } else if ( conn->c_isroot ) {
idletimeout = 0; /* no limit for Directory Manager */
} else {
idletimeout = fecfg->idletimeout;
}
+
+ slapi_ch_free_string( &anon_dn );
}
return( idletimeout );
More information about the 389-commits
mailing list