[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP 2.1.8 not enforcing sizelimits?
> Hi *
>
> All the following was tested with BDB 4.1.24, OpenLDAP 2.1.8 on Solaris
> 9. The database type was ldbm but the problems seem to apply to the
> others too.
>
> Adding the following line
> limits anonymous size.soft=-1
> to slapd.conf set the default limit on the number of returned entries to
> 'no limit'. Nevertheless I assume that specifying a limit by the client
> should be honored by the server but it doesn't. Looking at
> servers/slapd/back-ldbm/search.c:274
>
> /* if requested limit higher than hard limit, abort */
> } else if ( slimit > limit->lms_s_hard ) {
> /* no hard limit means use soft instead */
> if ( limit->lms_s_hard == 0 && slimit > limit->lms_s_soft )
> {
> slimit = limit->lms_s_soft;
> ...
>
> It's obvious what happens as
> slimit = 5 (in my example as passed from the client)
> limit->lms_s_hard 0
> limit->lms_s_soft -1
> the client-spcified soft limit will be set to -1 and therefore ignored.
> I suggest to replace the if-construct by one that either ignores values
> <= 0 or just -1.
Fixed in HEAD; please test
>
> As a RFE for the handling I would also suggest to honor
> limits size=none ...
This is illegal; I guess you mean
limits <pattern> size=none ...
e.g.
limits anonymous size=none ...
> setting the sizelimit to unlimited (-1) instead of 0 as of today caused
> by the call to atoi("none").
This has been improved by using strtol and checking that
a legal integer (i.e. >= -1) has been actually read
>
> Another 'problem' arises from having two entries in slapd.conf
> limits anonymous size=-1
> limits anonymous time=100
> in this case the timelimit is silently ignored. I know that this spec
> doesn't really fit the syntax in the manpage but nevertheless as RFE it
> could be accepted or a warning should be issued.
A check for simple types ("anonymous", "users", "any") has been added.
Thanks for the suggestions.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it