[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP 2.1.8 not enforcing sizelimits?



> Hi *
>
> All the following was tested with BDB 4.1.24, OpenLDAP 2.1.8 on Solaris
> 9. The database type was ldbm but the problems seem to apply to the
> others too.
>
> Adding the following line
> 	limits anonymous size.soft=-1
> to slapd.conf set the default limit on the number of returned entries to
> 'no limit'. Nevertheless I assume that specifying a limit by the client
> should be honored by the server but it doesn't. Looking at
> 	servers/slapd/back-ldbm/search.c:274
>
>         /* if requested limit higher than hard limit, abort */
>         } else if ( slimit > limit->lms_s_hard ) {
>             /* no hard limit means use soft instead */
>             if ( limit->lms_s_hard == 0 && slimit > limit->lms_s_soft )
> {
>                 slimit = limit->lms_s_soft;
>                 ...
>
> It's obvious what happens as
> 	slimit = 5		(in my example as passed from the client)
> 	limit->lms_s_hard	0
> 	limit->lms_s_soft	-1
> the client-spcified soft limit will be set to -1 and therefore ignored.
> I suggest to replace the if-construct by one that either ignores values
> <= 0 or just -1.

Fixed in HEAD; please test

>
> As a RFE for the handling I would also suggest to honor
> 	limits size=none ...

This is illegal; I guess you mean

 	limits <pattern> size=none ...

e.g.

 	limits anonymous size=none ...

> setting the sizelimit to unlimited (-1) instead of 0 as of today caused
> by the call to atoi("none").

This has been improved by using strtol and checking that
a legal integer (i.e. >= -1) has been actually read

>
> Another 'problem' arises from having two entries in slapd.conf
> 	limits anonymous size=-1
> 	limits anonymous time=100
> in this case the timelimit is silently ignored. I know that this spec
> doesn't really fit the syntax in the manpage but nevertheless as RFE it
> could be accepted or a warning should be issued.

A check for simple types ("anonymous", "users", "any") has been added.

Thanks for the suggestions.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it