Bug 592389 - Anonymous resource limits not set if no BIND is performed
Anonymous resource limits not set if no BIND is performed
Status: CLOSED CURRENTRELEASE
Product: 389
Classification: Community
Component: Directory Server (Show other bugs)
1.2.5
All Linux
high Severity high
: ---
: ---
Assigned To: Nathan Kinder
Viktor Ashirov
:
Depends On:
Blocks: 434914 389_1.2.6
  Show dependency treegraph
 
Reported: 2010-05-14 14:23 EDT by Nathan Kinder
Modified: 2015-12-07 11:45 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-07 11:45:22 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed Patch (4.09 KB, patch)
2010-05-20 17:28 EDT, Nathan Kinder
nkinder: review?
rmeggins: review+
Details | Diff

  None (edit)
Description Nathan Kinder 2010-05-14 14:23:05 EDT
It appears that the anonymous resource limits are not set if an explicit BIND is not performed.  The anonymous limits are set when bind_credentials_set() or bind_credentials_set_nolock() is called, but these are only called from the bind code.

We need to be sure to set the limits for an anonymous user who does not perform an explicit bind.
Comment 1 Nathan Kinder 2010-05-19 20:33:32 EDT
So it turns out that this issue is occurring even when an anonymous BIND is performed.  Some other code changes in bind.c must have broken the anonymous limits feature.  I have a patch that makes anonymous limits take effect when an anonymous or unauthenticated BIND is performed.

Dealing with the case where no BIND operation is performed is going to take a bit more surgery.  The way the server currently works is that when a BIND is performed, the limits are set if any bind-based resource limits exist (for real users or anonymous with my patch).  When a search is processed in a backend, it uses any bind based resource limits if they are set, otherwise the global limits for that backend are used.  To have the anonymous limits work when no bind is performed, we would have to set the anonymous limits for all connections when they are created.  We would then need to clear these limits at the beginning of the bind code and allow them to either be reset or left blank for the backend global settings to take effect.
Comment 3 Nathan Kinder 2010-05-20 17:28:55 EDT
Created attachment 415519 [details]
Proposed Patch

The anonymous resource limits were not being properly set.  This
patch ensures that the limits are set properly when an anonymous
or unauthenticated BIND operation is performed.  It also sets the
anonymous limits when we do a read on a connection that has not
yet perfomed a BIND.  These limits will be overwritten with any
default or user-based limits once a valid BIND is performed.
Comment 4 Nathan Kinder 2010-05-20 17:47:17 EDT
Thanks to Rich for his review!  Pushed to master.

Counting objects: 13, done.
Delta compression using 2 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 1.43 KiB, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   ecb1e8a..55489b8  master -> master
Comment 6 Jenny Galipeau 2010-06-04 14:59:12 EDT
verified - RHEL 4

version:
redhat-ds-base-8.2.0-2010060304.el4dsrv

1.  Global sizelimit:
# ldapsearch -x -p 389 -h `hostname` -D "cn=Directory Manager" -w Secret123 -b "cn=config" | grep sizelimit
nsslapd-sizelimit: 20

2. nsslapd-anonlimitsdn:
# ldapsearch -x -p 389 -h `hostname` -D "cn=Directory Manager" -w Secret123 -b "cn=config" | grep anonlimit
nsslapd-anonlimitsdn: uid=jgalipea,ou=people,dc=example,dc=com

3. Limit on User:
# /usr/lib/mozldap6/ldapsearch -p 389 -h `hostname` -D "cn=Directory Manager" -w Secret123 -b "uid=jgalipea,ou=people,dc=example,dc=com" "(objectclass=*)" nssizelimit
version: 1
dn: uid=jgalipea,ou=People,dc=example,dc=com
nssizelimit: 5

4. anonymous bind search:
# /usr/lib/mozldap6/ldapsearch -p 389 -h `hostname` -b "dc=example,dc=com" "(objectclass=*)" cnversion: 1
dn: dc=example,dc=com

dn: cn=Directory Administrators,dc=example,dc=com
cn: Directory Administrators

dn: ou=Groups,dc=example,dc=com

dn: ou=People,dc=example,dc=com

dn: ou=Special Users,dc=example,dc=com
ldap_search: Sizelimit exceeded

Note You need to log in before you can comment on or make changes to this bug.