From 3fd372ec7504b9078f6c6fedea67370969d69a66 Mon Sep 17 00:00:00 2001 From: Mark Reynolds Date: Oct 20 2016 08:13:52 +0000 Subject: Ticket 47703 - remove search limit for aci group evaluation Bug Description: Groups that have members that exceed the server sizelimit are not fully processed, and aci evalauation fails. Fix Description: There should not be a sizelimit when processing aci's based on group membership. https://fedorahosted.org/389/ticket/47703 Reviewed by: nhosoi(Thanks!) (cherry picked from commit 3151648f2c761efd8caab25cd09023947534a5da) (cherry picked from commit 99a34b4ef856af505df254a03e64d39d520c4ab1) --- diff --git a/ldap/servers/plugins/acl/acl.h b/ldap/servers/plugins/acl/acl.h index 8a9bec2..6930172 100644 --- a/ldap/servers/plugins/acl/acl.h +++ b/ldap/servers/plugins/acl/acl.h @@ -543,8 +543,6 @@ struct acl_pblock { /* Keep the Group nesting level */ int aclpb_max_nesting_level; - int aclpb_max_member_sizelimit; - /* To keep the results in the cache */ diff --git a/ldap/servers/plugins/acl/acl_ext.c b/ldap/servers/plugins/acl/acl_ext.c index 014890c..94188c9 100644 --- a/ldap/servers/plugins/acl/acl_ext.c +++ b/ldap/servers/plugins/acl/acl_ext.c @@ -834,16 +834,6 @@ acl_init_aclpb ( Slapi_PBlock *pb , Acl_PBlock *aclpb, const char *ndn, int copy aclg_init_userGroup ( aclpb, ndn, 0 /* get lock */ ); slapi_pblock_get( pb, SLAPI_BE_MAXNESTLEVEL, &aclpb->aclpb_max_nesting_level ); - slapi_pblock_get( pb, SLAPI_SEARCH_SIZELIMIT, &aclpb->aclpb_max_member_sizelimit ); - if ( aclpb->aclpb_max_member_sizelimit == 0 ) { - aclpb->aclpb_max_member_sizelimit = SLAPD_DEFAULT_LOOKTHROUGHLIMIT; - } else if ( aclpb->aclpb_max_member_sizelimit < -1 ) { - /* handle the case of a negtive size limit either set or due - * to bug bz1065971. The member size limit should be dropped, - * but for backward compatibility to the best we can - */ - aclpb->aclpb_max_member_sizelimit = -1; - } slapi_pblock_get( pb, SLAPI_OPERATION_TYPE, &aclpb->aclpb_optype ); aclpb->aclpb_signature = acl_get_aclsignature(); diff --git a/ldap/servers/plugins/acl/acllas.c b/ldap/servers/plugins/acl/acllas.c index a0cc53d..5d9b14a 100644 --- a/ldap/servers/plugins/acl/acllas.c +++ b/ldap/servers/plugins/acl/acllas.c @@ -1979,7 +1979,6 @@ acllas__user_ismember_of_group( struct acl_pblock *aclpb, int totalMembersVisited; int numOfMembers; int max_nestlevel; - int max_memberlimit; aclUserGroup *u_group; struct member_info *groupMember = NULL; struct member_info *parentGroup = NULL; @@ -2064,7 +2063,6 @@ acllas__user_ismember_of_group( struct acl_pblock *aclpb, info.clientCert = NULL; info.aclpb = aclpb; - max_memberlimit = aclpb->aclpb_max_member_sizelimit; max_nestlevel = aclpb->aclpb_max_nesting_level; #ifdef FOR_DEBUGGING @@ -2142,15 +2140,6 @@ eval_another_member: goto free_and_return; } - /* limit of -1 means "no limit */ - if (info.c_idx > max_memberlimit && - max_memberlimit != -1 ) { - slapi_log_error( SLAPI_LOG_ACL, plugin_name, - "GroupEval:Looked at too many entries:(%d, %d)\n", - info.c_idx, info.lu_idx); - result = ACL_DONT_KNOW; /* don't try to cache info based on this result */ - goto free_and_return; - } if (info.lu_idx > info.c_idx) { if (numOfMembers == (info.lu_idx - info.c_idx)) { /* That means it's not a GROUP. It is just another