|
 |
dc8c34 |
From 35c77e7979317e46f41450838eea4c4c62efb5cc Mon Sep 17 00:00:00 2001
|
|
|
dc8c34 |
From: Mark Reynolds <mreynolds@redhat.com>
|
|
|
dc8c34 |
Date: Wed, 19 Oct 2016 15:50:15 -0400
|
|
|
dc8c34 |
Subject: [PATCH 408/410] Ticket 47703 - remove search limit for aci group
|
|
|
dc8c34 |
evaluation
|
|
|
dc8c34 |
|
|
|
dc8c34 |
Bug Description: Groups that have members that exceed the server sizelimit
|
|
|
dc8c34 |
are not fully processed, and aci evalauation fails.
|
|
|
dc8c34 |
|
|
|
dc8c34 |
Fix Description: There should not be a sizelimit when processing aci's based
|
|
|
dc8c34 |
on group membership.
|
|
|
dc8c34 |
|
|
|
dc8c34 |
https://fedorahosted.org/389/ticket/47703
|
|
|
dc8c34 |
|
|
|
dc8c34 |
Reviewed by: nhosoi(Thanks!)
|
|
|
dc8c34 |
|
|
|
dc8c34 |
(cherry picked from commit 3151648f2c761efd8caab25cd09023947534a5da)
|
|
|
dc8c34 |
(cherry picked from commit 99a34b4ef856af505df254a03e64d39d520c4ab1)
|
|
|
dc8c34 |
(cherry picked from commit 3fd372ec7504b9078f6c6fedea67370969d69a66)
|
|
|
dc8c34 |
---
|
|
|
dc8c34 |
ldap/servers/plugins/acl/acl.h | 2 --
|
|
|
dc8c34 |
ldap/servers/plugins/acl/acl_ext.c | 10 ----------
|
|
|
dc8c34 |
ldap/servers/plugins/acl/acllas.c | 11 -----------
|
|
|
dc8c34 |
3 files changed, 23 deletions(-)
|
|
|
dc8c34 |
|
|
|
dc8c34 |
diff --git a/ldap/servers/plugins/acl/acl.h b/ldap/servers/plugins/acl/acl.h
|
|
|
dc8c34 |
index 8a9bec2..6930172 100644
|
|
|
dc8c34 |
--- a/ldap/servers/plugins/acl/acl.h
|
|
|
dc8c34 |
+++ b/ldap/servers/plugins/acl/acl.h
|
|
|
dc8c34 |
@@ -543,8 +543,6 @@ struct acl_pblock {
|
|
|
dc8c34 |
|
|
|
dc8c34 |
/* Keep the Group nesting level */
|
|
|
dc8c34 |
int aclpb_max_nesting_level;
|
|
|
dc8c34 |
- int aclpb_max_member_sizelimit;
|
|
|
dc8c34 |
-
|
|
|
dc8c34 |
|
|
|
dc8c34 |
/* To keep the results in the cache */
|
|
|
dc8c34 |
|
|
|
dc8c34 |
diff --git a/ldap/servers/plugins/acl/acl_ext.c b/ldap/servers/plugins/acl/acl_ext.c
|
|
|
dc8c34 |
index 014890c..94188c9 100644
|
|
|
dc8c34 |
--- a/ldap/servers/plugins/acl/acl_ext.c
|
|
|
dc8c34 |
+++ b/ldap/servers/plugins/acl/acl_ext.c
|
|
|
dc8c34 |
@@ -834,16 +834,6 @@ acl_init_aclpb ( Slapi_PBlock *pb , Acl_PBlock *aclpb, const char *ndn, int copy
|
|
|
dc8c34 |
aclg_init_userGroup ( aclpb, ndn, 0 /* get lock */ );
|
|
|
dc8c34 |
|
|
|
dc8c34 |
slapi_pblock_get( pb, SLAPI_BE_MAXNESTLEVEL, &aclpb->aclpb_max_nesting_level );
|
|
|
dc8c34 |
- slapi_pblock_get( pb, SLAPI_SEARCH_SIZELIMIT, &aclpb->aclpb_max_member_sizelimit );
|
|
|
dc8c34 |
- if ( aclpb->aclpb_max_member_sizelimit == 0 ) {
|
|
|
dc8c34 |
- aclpb->aclpb_max_member_sizelimit = SLAPD_DEFAULT_LOOKTHROUGHLIMIT;
|
|
|
dc8c34 |
- } else if ( aclpb->aclpb_max_member_sizelimit < -1 ) {
|
|
|
dc8c34 |
- /* handle the case of a negtive size limit either set or due
|
|
|
dc8c34 |
- * to bug bz1065971. The member size limit should be dropped,
|
|
|
dc8c34 |
- * but for backward compatibility to the best we can
|
|
|
dc8c34 |
- */
|
|
|
dc8c34 |
- aclpb->aclpb_max_member_sizelimit = -1;
|
|
|
dc8c34 |
- }
|
|
|
dc8c34 |
slapi_pblock_get( pb, SLAPI_OPERATION_TYPE, &aclpb->aclpb_optype );
|
|
|
dc8c34 |
|
|
|
dc8c34 |
aclpb->aclpb_signature = acl_get_aclsignature();
|
|
|
dc8c34 |
diff --git a/ldap/servers/plugins/acl/acllas.c b/ldap/servers/plugins/acl/acllas.c
|
|
|
dc8c34 |
index 7f4f69c..a4c214b 100644
|
|
|
dc8c34 |
--- a/ldap/servers/plugins/acl/acllas.c
|
|
|
dc8c34 |
+++ b/ldap/servers/plugins/acl/acllas.c
|
|
|
dc8c34 |
@@ -1979,7 +1979,6 @@ acllas__user_ismember_of_group( struct acl_pblock *aclpb,
|
|
|
dc8c34 |
int totalMembersVisited;
|
|
|
dc8c34 |
int numOfMembers;
|
|
|
dc8c34 |
int max_nestlevel;
|
|
|
dc8c34 |
- int max_memberlimit;
|
|
|
dc8c34 |
aclUserGroup *u_group;
|
|
|
dc8c34 |
struct member_info *groupMember = NULL;
|
|
|
dc8c34 |
struct member_info *parentGroup = NULL;
|
|
|
dc8c34 |
@@ -2064,7 +2063,6 @@ acllas__user_ismember_of_group( struct acl_pblock *aclpb,
|
|
|
dc8c34 |
info.clientCert = NULL;
|
|
|
dc8c34 |
info.aclpb = aclpb;
|
|
|
dc8c34 |
|
|
|
dc8c34 |
- max_memberlimit = aclpb->aclpb_max_member_sizelimit;
|
|
|
dc8c34 |
max_nestlevel = aclpb->aclpb_max_nesting_level;
|
|
|
dc8c34 |
|
|
|
dc8c34 |
#ifdef FOR_DEBUGGING
|
|
|
dc8c34 |
@@ -2142,15 +2140,6 @@ eval_another_member:
|
|
|
dc8c34 |
goto free_and_return;
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
|
|
|
dc8c34 |
- /* limit of -1 means "no limit */
|
|
|
dc8c34 |
- if (info.c_idx > max_memberlimit &&
|
|
|
dc8c34 |
- max_memberlimit != -1 ) {
|
|
|
dc8c34 |
- slapi_log_error( SLAPI_LOG_ACL, plugin_name,
|
|
|
dc8c34 |
- "GroupEval:Looked at too many entries:(%d, %d)\n",
|
|
|
dc8c34 |
- info.c_idx, info.lu_idx);
|
|
|
dc8c34 |
- result = ACL_DONT_KNOW; /* don't try to cache info based on this result */
|
|
|
dc8c34 |
- goto free_and_return;
|
|
|
dc8c34 |
- }
|
|
|
dc8c34 |
if (info.lu_idx > info.c_idx) {
|
|
|
dc8c34 |
if (numOfMembers == (info.lu_idx - info.c_idx)) {
|
|
|
dc8c34 |
/* That means it's not a GROUP. It is just another
|
|
|
dc8c34 |
--
|
|
|
dc8c34 |
2.4.11
|
|
|
dc8c34 |
|