From 35c77e7979317e46f41450838eea4c4c62efb5cc Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Wed, 19 Oct 2016 15:50:15 -0400
Subject: [PATCH 408/410] Ticket 47703 - remove search limit for aci group
evaluation
Bug Description: Groups that have members that exceed the server sizelimit
are not fully processed, and aci evalauation fails.
Fix Description: There should not be a sizelimit when processing aci's based
on group membership.
https://fedorahosted.org/389/ticket/47703
Reviewed by: nhosoi(Thanks!)
(cherry picked from commit 3151648f2c761efd8caab25cd09023947534a5da)
(cherry picked from commit 99a34b4ef856af505df254a03e64d39d520c4ab1)
(cherry picked from commit 3fd372ec7504b9078f6c6fedea67370969d69a66)
---
ldap/servers/plugins/acl/acl.h | 2 --
ldap/servers/plugins/acl/acl_ext.c | 10 ----------
ldap/servers/plugins/acl/acllas.c | 11 -----------
3 files changed, 23 deletions(-)
diff --git a/ldap/servers/plugins/acl/acl.h b/ldap/servers/plugins/acl/acl.h
index 8a9bec2..6930172 100644
--- a/ldap/servers/plugins/acl/acl.h
+++ b/ldap/servers/plugins/acl/acl.h
@@ -543,8 +543,6 @@ struct acl_pblock {
/* Keep the Group nesting level */
int aclpb_max_nesting_level;
- int aclpb_max_member_sizelimit;
-
/* To keep the results in the cache */
diff --git a/ldap/servers/plugins/acl/acl_ext.c b/ldap/servers/plugins/acl/acl_ext.c
index 014890c..94188c9 100644
--- a/ldap/servers/plugins/acl/acl_ext.c
+++ b/ldap/servers/plugins/acl/acl_ext.c
@@ -834,16 +834,6 @@ acl_init_aclpb ( Slapi_PBlock *pb , Acl_PBlock *aclpb, const char *ndn, int copy
aclg_init_userGroup ( aclpb, ndn, 0 /* get lock */ );
slapi_pblock_get( pb, SLAPI_BE_MAXNESTLEVEL, &aclpb->aclpb_max_nesting_level );
- slapi_pblock_get( pb, SLAPI_SEARCH_SIZELIMIT, &aclpb->aclpb_max_member_sizelimit );
- if ( aclpb->aclpb_max_member_sizelimit == 0 ) {
- aclpb->aclpb_max_member_sizelimit = SLAPD_DEFAULT_LOOKTHROUGHLIMIT;
- } else if ( aclpb->aclpb_max_member_sizelimit < -1 ) {
- /* handle the case of a negtive size limit either set or due
- * to bug bz1065971. The member size limit should be dropped,
- * but for backward compatibility to the best we can
- */
- aclpb->aclpb_max_member_sizelimit = -1;
- }
slapi_pblock_get( pb, SLAPI_OPERATION_TYPE, &aclpb->aclpb_optype );
aclpb->aclpb_signature = acl_get_aclsignature();
diff --git a/ldap/servers/plugins/acl/acllas.c b/ldap/servers/plugins/acl/acllas.c
index 7f4f69c..a4c214b 100644
--- a/ldap/servers/plugins/acl/acllas.c
+++ b/ldap/servers/plugins/acl/acllas.c
@@ -1979,7 +1979,6 @@ acllas__user_ismember_of_group( struct acl_pblock *aclpb,
int totalMembersVisited;
int numOfMembers;
int max_nestlevel;
- int max_memberlimit;
aclUserGroup *u_group;
struct member_info *groupMember = NULL;
struct member_info *parentGroup = NULL;
@@ -2064,7 +2063,6 @@ acllas__user_ismember_of_group( struct acl_pblock *aclpb,
info.clientCert = NULL;
info.aclpb = aclpb;
- max_memberlimit = aclpb->aclpb_max_member_sizelimit;
max_nestlevel = aclpb->aclpb_max_nesting_level;
#ifdef FOR_DEBUGGING
@@ -2142,15 +2140,6 @@ eval_another_member:
goto free_and_return;
}
- /* limit of -1 means "no limit */
- if (info.c_idx > max_memberlimit &&
- max_memberlimit != -1 ) {
- slapi_log_error( SLAPI_LOG_ACL, plugin_name,
- "GroupEval:Looked at too many entries:(%d, %d)\n",
- info.c_idx, info.lu_idx);
- result = ACL_DONT_KNOW; /* don't try to cache info based on this result */
- goto free_and_return;
- }
if (info.lu_idx > info.c_idx) {
if (numOfMembers == (info.lu_idx - info.c_idx)) {
/* That means it's not a GROUP. It is just another
--
2.4.11