]> git.sur5r.net Git - openldap/blobdiff - servers/slapd/limits.c
projects / openldap / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Don't bother setting up threads if there are no indexed attrs
[openldap] / servers / slapd / limits.c
diff --git a/servers/slapd/limits.c b/servers/slapd/limits.c
index 870bf632245cffc625fbb7f82d0d6dd04c694175..ef26010606c903621489aaa9215a57e115a68092 100644 (file)
--- a/servers/slapd/limits.c
+++ b/servers/slapd/limits.c
@@ -2,7 +2,7 @@
 /* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2004 The OpenLDAP Foundation.
+ * Copyright 1998-2006 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -22,6 +22,46 @@
 #include <ac/string.h>
 
 #include "slap.h"
+#include "lutil.h"
+
+/* define to get an error if requesting limit higher than hard */
+#undef ABOVE_HARD_LIMIT_IS_ERROR
+
+static char *
+limits2str( unsigned i )
+{
+       switch ( i ) {
+       case SLAP_LIMITS_UNDEFINED:
+               return "UNDEFINED";
+
+       case SLAP_LIMITS_EXACT:
+               return "EXACT";
+                       
+       case SLAP_LIMITS_ONE:
+               return "ONELEVEL";      
+
+       case SLAP_LIMITS_SUBTREE:
+               return "SUBTREE";
+
+       case SLAP_LIMITS_CHILDREN:
+               return "CHILDREN";
+
+       case SLAP_LIMITS_REGEX:
+               return "REGEX";
+
+       case SLAP_LIMITS_ANONYMOUS:
+               return "ANONYMOUS";
+               
+       case SLAP_LIMITS_USERS:
+               return "USERS";
+               
+       case SLAP_LIMITS_ANY:
+               return "ANY";
+
+       default:
+               return "UNKNOWN";
+       }
+}
 
 int
 limits_get( 
@@ -32,9 +72,12 @@ limits_get(
 {
        struct slap_limits **lm;
 
-       assert( op );
-       assert( limit );
+       assert( op != NULL );
+       assert( limit != NULL );
 
+       Debug( LDAP_DEBUG_TRACE, "==> limits_get: %s dn=\"%s\"\n",
+                       op->o_log_prefix,
+                       BER_BVISNULL( ndn ) ? "[anonymous]" : ndn->bv_val, 0 );
        /*
         * default values
         */
@@ -50,7 +93,7 @@ limits_get(
 
                switch ( style ) {
                case SLAP_LIMITS_EXACT:
-                       if ( ndn->bv_len == 0 ) {
+                       if ( BER_BVISEMPTY( ndn ) ) {
                                break;
                        }
 
@@ -63,13 +106,22 @@ limits_get(
                                                lm[0]->lm_group_ad );
                                if ( rc == 0 ) {
                                        *limit = &lm[0]->lm_limits;
+                                       Debug( LDAP_DEBUG_TRACE, "<== limits_get: type=GROUP match=EXACT "
+                                                       "dn=\"%s\" oc=\"%s\" ad=\"%s\"\n",
+                                                       lm[0]->lm_pat.bv_val,
+                                                       lm[0]->lm_group_oc->soc_cname.bv_val,
+                                                       lm[0]->lm_group_ad->ad_cname.bv_val );
+
                                        return( 0 );
                                }
-                       }
+                       } else {
                        
-                       if ( dn_match( &lm[0]->lm_pat, ndn ) ) {
-                               *limit = &lm[0]->lm_limits;
-                               return( 0 );
+                               if ( dn_match( &lm[0]->lm_pat, ndn ) ) {
+                                       *limit = &lm[0]->lm_limits;
+                                       Debug( LDAP_DEBUG_TRACE, "<== limits_get: type=DN match=EXACT dn=\"%s\"\n",
+                                                       lm[0]->lm_pat.bv_val, 0, 0 );
+                                       return( 0 );
+                               }
                        }
                        break;
 
@@ -78,7 +130,7 @@ limits_get(
                case SLAP_LIMITS_CHILDREN: {
                        size_t d;
                        
-                       if ( ndn->bv_len == 0 ) {
+                       if ( BER_BVISEMPTY( ndn ) ) {
                                break;
                        }
 
@@ -95,7 +147,7 @@ limits_get(
                                }
                        } else {
                                /* check for unescaped rdn separator */
-                               if ( !DN_SEPARATOR( ndn->bv_val[d-1] ) ) {
+                               if ( !DN_SEPARATOR( ndn->bv_val[d - 1] ) ) {
                                        break;
                                }
                        }
@@ -119,6 +171,8 @@ limits_get(
                                }
 
                                *limit = &lm[0]->lm_limits;
+                               Debug( LDAP_DEBUG_TRACE, "<== limits_get: type=DN match=%s dn=\"%s\"\n",
+                                               limits2str( style ), lm[0]->lm_pat.bv_val, 0 );
                                return( 0 );
                        }
 
@@ -126,27 +180,33 @@ limits_get(
                }
 
                case SLAP_LIMITS_REGEX:
-                       if ( ndn->bv_len == 0 ) {
+                       if ( BER_BVISEMPTY( ndn ) ) {
                                break;
                        }
                        if ( regexec( &lm[0]->lm_regex, ndn->bv_val,
                                                0, NULL, 0 ) == 0 )
                        {
                                *limit = &lm[0]->lm_limits;
+                               Debug( LDAP_DEBUG_TRACE, "<== limits_get: type=DN match=%s dn=\"%s\"\n",
+                                               limits2str( style ), lm[0]->lm_pat.bv_val, 0 );
                                return( 0 );
                        }
                        break;
 
                case SLAP_LIMITS_ANONYMOUS:
-                       if ( ndn->bv_len == 0 ) {
+                       if ( BER_BVISEMPTY( ndn ) ) {
+                               Debug( LDAP_DEBUG_TRACE, "<== limits_get: type=DN match=%s\n",
+                                               limits2str( style ), 0, 0 );
                                *limit = &lm[0]->lm_limits;
                                return( 0 );
                        }
                        break;
 
                case SLAP_LIMITS_USERS:
-                       if ( ndn->bv_len != 0 ) {
+                       if ( !BER_BVISEMPTY( ndn ) ) {
                                *limit = &lm[0]->lm_limits;
+                               Debug( LDAP_DEBUG_TRACE, "<== limits_get: type=DN match=%s\n",
+                                               limits2str( style ), 0, 0 );
                                return( 0 );
                        }
                        break;
@@ -178,8 +238,8 @@ limits_add(
        struct slap_limits      *lm;
        unsigned                type, style;
        
-       assert( be );
-       assert( limit );
+       assert( be != NULL );
+       assert( limit != NULL );
 
        type = flags & SLAP_LIMITS_TYPE_MASK;
        style = flags & SLAP_LIMITS_MASK;
@@ -211,8 +271,8 @@ limits_add(
                {
                        int rc;
                        struct berval bv;
-                       bv.bv_val = (char *) pattern;
-                       bv.bv_len = strlen( pattern );
+
+                       ber_str2bv( pattern, 0, 0, &bv );
 
                        rc = dnNormalize( 0, NULL, NULL, &bv, &lm->lm_pat, NULL );
                        if ( rc != LDAP_SUCCESS ) {
@@ -237,15 +297,14 @@ limits_add(
        case SLAP_LIMITS_USERS:
        case SLAP_LIMITS_ANY:
                lm->lm_flags = style | type;
-               lm->lm_pat.bv_val = NULL;
-               lm->lm_pat.bv_len = 0;
+               BER_BVZERO( &lm->lm_pat );
                break;
        }
 
        switch ( type ) {
        case SLAP_LIMITS_TYPE_GROUP:
-               assert( group_oc );
-               assert( group_ad );
+               assert( group_oc != NULL );
+               assert( group_ad != NULL );
                lm->lm_group_oc = group_oc;
                lm->lm_group_ad = group_ad;
                break;
@@ -282,19 +341,13 @@ limits_parse(
        ObjectClass             *group_oc = NULL;
        AttributeDescription    *group_ad = NULL;
 
-       assert( be );
+       assert( be != NULL );
 
        if ( argc < 3 ) {
-#ifdef NEW_LOGGING
-               LDAP_LOG( CONFIG, CRIT, 
-                       "%s : line %d: missing arg(s) in "
-                       "\"limits <pattern> <limits>\" line.\n", fname, lineno, 0 );
-#else
                Debug( LDAP_DEBUG_ANY,
                        "%s : line %d: missing arg(s) in "
                        "\"limits <pattern> <limits>\" line.\n%s",
                        fname, lineno, "" );
-#endif
                return( -1 );
        }
 
@@ -360,17 +413,10 @@ limits_parse(
                                        pattern += STRLENOF( "level" );
 
                                } else {
-#ifdef NEW_LOGGING
-                                       LDAP_LOG( CONFIG, WARNING , 
-                                               "%s : line %d: deprecated \"one\" style "
-                                               "\"limits <pattern> <limits>\" line; "
-                                               "use \"onelevel\" instead.\n", fname, lineno, 0 );
-#else
                                        Debug( LDAP_DEBUG_ANY,
                                                "%s : line %d: deprecated \"one\" style "
                                                "\"limits <pattern> <limits>\" line; "
                                                "use \"onelevel\" instead.\n", fname, lineno, 0 );
-#endif
                                }
 
                        } else if ( strncasecmp( pattern, "sub", STRLENOF( "sub" ) ) == 0 ) {
@@ -380,17 +426,10 @@ limits_parse(
                                        pattern += STRLENOF( "tree" );
 
                                } else {
-#ifdef NEW_LOGGING
-                                       LDAP_LOG( CONFIG, WARNING , 
-                                               "%s : line %d: deprecated \"sub\" style "
-                                               "\"limits <pattern> <limits>\" line; "
-                                               "use \"subtree\" instead.\n", fname, lineno, 0 );
-#else
                                        Debug( LDAP_DEBUG_ANY,
                                                "%s : line %d: deprecated \"sub\" style "
                                                "\"limits <pattern> <limits>\" line; "
                                                "use \"subtree\" instead.\n", fname, lineno, 0 );
-#endif
                                }
 
                        } else if ( strncasecmp( pattern, "children", STRLENOF( "children" ) ) == 0 ) {
@@ -422,13 +461,6 @@ limits_parse(
 
                default:
                        if ( pattern[0] != '=' ) {
-#ifdef NEW_LOGGING
-                               LDAP_LOG( CONFIG, CRIT, 
-                                       "%s : line %d: missing '=' in "
-                                       "\"dn[.{exact|base|onelevel|subtree"
-                                       "|children|regex|anonymous}]" "=<pattern>\" in "
-                                       "\"limits <pattern> <limits>\" line.\n", fname, lineno, 0 );
-#else
                                Debug( LDAP_DEBUG_ANY,
                                        "%s : line %d: missing '=' in "
                                        "\"dn[.{exact|base|onelevel|subtree"
@@ -437,7 +469,6 @@ limits_parse(
                                        "\"limits <pattern> <limits>\" "
                                        "line.\n%s",
                                        fname, lineno, "" );
-#endif
                                return( -1 );
                        }
 
@@ -463,8 +494,12 @@ limits_parse(
                        struct berval   oc, ad;
 
                        oc.bv_val = pattern + 1;
+                       pattern = strchr( pattern, '=' );
+                       if ( pattern == NULL ) {
+                               return -1;
+                       }
 
-                       ad.bv_val = strchr(pattern, '/');
+                       ad.bv_val = strchr( oc.bv_val, '/' );
                        if ( ad.bv_val != NULL ) {
                                const char      *text = NULL;
                                int             rc;
@@ -472,18 +507,14 @@ limits_parse(
                                oc.bv_len = ad.bv_val - oc.bv_val;
 
                                ad.bv_val++;
-                               ad.bv_len = strlen( ad.bv_val );
+                               ad.bv_len = pattern - ad.bv_val;
                                rc = slap_bv2ad( &ad, &group_ad, &text );
                                if ( rc != LDAP_SUCCESS ) {
                                        goto no_ad;
                                }
 
-                               pattern = ad.bv_val + ad.bv_len;
-
                        } else {
-                               oc.bv_len = strlen( oc.bv_val );
-
-                               pattern = oc.bv_val + oc.bv_len;
+                               oc.bv_len = pattern - oc.bv_val;
                        }
 
                        group_oc = oc_bvfind( &oc );
@@ -515,21 +546,12 @@ no_ad:;
                flags = SLAP_LIMITS_TYPE_GROUP | SLAP_LIMITS_EXACT;
 
                if ( pattern[0] != '=' ) {
-#ifdef NEW_LOGGING
-                       LDAP_LOG( CONFIG, CRIT, 
-                               "%s : line %d: missing '=' in "
-                               "\"group[/objectClass[/attributeType]]"
-                               "=<pattern>\" in "
-                               "\"limits <pattern> <limits>\" line.\n",
-                               fname, lineno, 0 );
-#else
                        Debug( LDAP_DEBUG_ANY,
                                "%s : line %d: missing '=' in "
                                "\"group[/objectClass[/attributeType]]"
                                "=<pattern>\" in "
                                "\"limits <pattern> <limits>\" line.\n",
                                fname, lineno, 0 );
-#endif
                        return( -1 );
                }
 
@@ -541,17 +563,10 @@ no_ad:;
        for ( i = 2; i < argc; i++ ) {
                if ( limits_parse_one( argv[i], &limit ) ) {
 
-#ifdef NEW_LOGGING
-                       LDAP_LOG( CONFIG, CRIT, 
-                               "%s : line %d: unknown limit values \"%s\" in "
-                               "\"limits <pattern> <limits>\" line.\n",
-                               fname, lineno, argv[i] );
-#else
                        Debug( LDAP_DEBUG_ANY,
                                "%s : line %d: unknown limit values \"%s\" in "
                                "\"limits <pattern> <limits>\" line.\n",
                        fname, lineno, argv[i] );
-#endif
 
                        return( 1 );
                }
@@ -559,6 +574,8 @@ no_ad:;
 
        /*
         * sanity checks ...
+        *
+        * FIXME: add warnings?
         */
        if ( limit.lms_t_hard > 0 && 
                        ( limit.lms_t_hard < limit.lms_t_soft 
@@ -571,21 +588,43 @@ no_ad:;
                          || limit.lms_s_soft == -1 ) ) {
                limit.lms_s_hard = limit.lms_s_soft;
        }
-       
+
+       /*
+        * defaults ...
+        * 
+        * lms_t_hard:
+        *      -1      => no limits
+        *      0       => same as soft
+        *      > 0     => limit (in seconds)
+        *
+        * lms_s_hard:
+        *      -1      => no limits
+        *      0       0> same as soft
+        *      > 0     => limit (in entries)
+        *
+        * lms_s_pr_total:
+        *      -2      => disable the control
+        *      -1      => no limits
+        *      0       => same as soft
+        *      > 0     => limit (in entries)
+        *
+        * lms_s_pr:
+        *      -1      => no limits
+        *      0       => no limits?
+        *      > 0     => limit size (in entries)
+        */
+       if ( limit.lms_s_pr_total > 0 &&
+                       limit.lms_s_pr > limit.lms_s_pr_total ) {
+               limit.lms_s_pr = limit.lms_s_pr_total;
+       }
+
        rc = limits_add( be, flags, pattern, group_oc, group_ad, &limit );
        if ( rc ) {
 
-#ifdef NEW_LOGGING
-               LDAP_LOG( CONFIG, CRIT, 
-                       "%s : line %d: unable to add limit in "
-                       "\"limits <pattern> <limits>\" line.\n",
-                       fname, lineno, 0 );
-#else
                Debug( LDAP_DEBUG_ANY,
                        "%s : line %d: unable to add limit in "
                        "\"limits <pattern> <limits>\" line.\n",
                fname, lineno, 0 );
-#endif
        }
 
        return( rc );
@@ -597,50 +636,57 @@ limits_parse_one(
        struct slap_limits_set  *limit
 )
 {
-       assert( arg );
-       assert( limit );
+       assert( arg != NULL );
+       assert( limit != NULL );
 
        if ( strncasecmp( arg, "time", STRLENOF( "time" ) ) == 0 ) {
-               arg += 4;
+               arg += STRLENOF( "time" );
 
                if ( arg[0] == '.' ) {
                        arg++;
-                       if ( strncasecmp( arg, "soft", STRLENOF( "soft" ) ) == 0 ) {
-                               arg += 4;
-                               if ( arg[0] != '=' ) {
-                                       return( 1 );
-                               }
-                               arg++;
-                               if ( strcasecmp( arg, "none" ) == 0 ) {
+                       if ( strncasecmp( arg, "soft=", STRLENOF( "soft=" ) ) == 0 ) {
+                               arg += STRLENOF( "soft=" );
+                               if ( strcasecmp( arg, "unlimited" ) == 0 || strcasecmp( arg, "none" ) == 0 ) {
                                        limit->lms_t_soft = -1;
+
                                } else {
-                                       char    *next = NULL;
+                                       int     soft;
 
-                                       limit->lms_t_soft = 
-                                               strtol( arg, &next, 10 );
-                                       if ( next == arg || limit->lms_t_soft < -1 ) {
+                                       if ( lutil_atoi( &soft, arg ) != 0 || soft < -1 ) {
                                                return( 1 );
                                        }
+
+                                       if ( soft == -1 ) {
+                                               /* FIXME: use "unlimited" instead; issue warning? */
+                                       }
+
+                                       limit->lms_t_soft = soft;
                                }
                                
-                       } else if ( strncasecmp( arg, "hard", STRLENOF( "hard" ) ) == 0 ) {
-                               arg += 4;
-                               if ( arg[0] != '=' ) {
-                                       return( 1 );
-                               }
-                               arg++;
+                       } else if ( strncasecmp( arg, "hard=", STRLENOF( "hard=" ) ) == 0 ) {
+                               arg += STRLENOF( "hard=" );
                                if ( strcasecmp( arg, "soft" ) == 0 ) {
                                        limit->lms_t_hard = 0;
-                               } else if ( strcasecmp( arg, "none" ) == 0 ) {
+
+                               } else if ( strcasecmp( arg, "unlimited" ) == 0 || strcasecmp( arg, "none" ) == 0 ) {
                                        limit->lms_t_hard = -1;
+
                                } else {
-                                       char    *next = NULL;
+                                       int     hard;
 
-                                       limit->lms_t_hard = 
-                                               strtol( arg, &next, 10 );
-                                       if ( next == arg || limit->lms_t_hard < -1 ) {
+                                       if ( lutil_atoi( &hard, arg ) != 0 || hard < -1 ) {
                                                return( 1 );
                                        }
+
+                                       if ( hard == -1 ) {
+                                               /* FIXME: use "unlimited" instead */
+                                       }
+
+                                       if ( hard == 0 ) {
+                                               /* FIXME: use "soft" instead */
+                                       }
+
+                                       limit->lms_t_hard = hard;
                                }
                                
                        } else {
@@ -649,13 +695,13 @@ limits_parse_one(
                        
                } else if ( arg[0] == '=' ) {
                        arg++;
-                       if ( strcasecmp( arg, "none" ) == 0 ) {
+                       if ( strcasecmp( arg, "unlimited" ) == 0 || strcasecmp( arg, "none" ) == 0 ) {
                                limit->lms_t_soft = -1;
-                       } else {
-                               char    *next = NULL;
 
-                               limit->lms_t_soft = strtol( arg, &next, 10 );
-                               if ( next == arg || limit->lms_t_soft < -1 ) {
+                       } else {
+                               if ( lutil_atoi( &limit->lms_t_soft, arg ) != 0 
+                                       || limit->lms_t_soft < -1 )
+                               {
                                        return( 1 );
                                }
                        }
@@ -666,64 +712,75 @@ limits_parse_one(
                }
 
        } else if ( strncasecmp( arg, "size", STRLENOF( "size" ) ) == 0 ) {
-               arg += 4;
+               arg += STRLENOF( "size" );
                
                if ( arg[0] == '.' ) {
                        arg++;
-                       if ( strncasecmp( arg, "soft", STRLENOF( "soft" ) ) == 0 ) {
-                               arg += 4;
-                               if ( arg[0] != '=' ) {
-                                       return( 1 );
-                               }
-                               arg++;
-                               if ( strcasecmp( arg, "none" ) == 0 ) {
+                       if ( strncasecmp( arg, "soft=", STRLENOF( "soft=" ) ) == 0 ) {
+                               arg += STRLENOF( "soft=" );
+                               if ( strcasecmp( arg, "unlimited" ) == 0 || strcasecmp( arg, "none" ) == 0 ) {
                                        limit->lms_s_soft = -1;
+
                                } else {
-                                       char    *next = NULL;
+                                       int     soft;
 
-                                       limit->lms_s_soft = 
-                                               strtol( arg, &next, 10 );
-                                       if ( next == arg || limit->lms_s_soft < -1 ) {
+                                       if ( lutil_atoi( &soft, arg ) != 0 || soft < -1 ) {
                                                return( 1 );
                                        }
+
+                                       if ( soft == -1 ) {
+                                               /* FIXME: use "unlimited" instead */
+                                       }
+
+                                       limit->lms_s_soft = soft;
                                }
                                
-                       } else if ( strncasecmp( arg, "hard", STRLENOF( "hard" ) ) == 0 ) {
-                               arg += 4;
-                               if ( arg[0] != '=' ) {
-                                       return( 1 );
-                               }
-                               arg++;
+                       } else if ( strncasecmp( arg, "hard=", STRLENOF( "hard=" ) ) == 0 ) {
+                               arg += STRLENOF( "hard=" );
                                if ( strcasecmp( arg, "soft" ) == 0 ) {
                                        limit->lms_s_hard = 0;
-                               } else if ( strcasecmp( arg, "none" ) == 0 ) {
+
+                               } else if ( strcasecmp( arg, "unlimited" ) == 0 || strcasecmp( arg, "none" ) == 0 ) {
                                        limit->lms_s_hard = -1;
+
                                } else {
-                                       char    *next = NULL;
+                                       int     hard;
 
-                                       limit->lms_s_hard = 
-                                               strtol( arg, &next, 10 );
-                                       if ( next == arg || limit->lms_s_hard < -1 ) {
+                                       if ( lutil_atoi( &hard, arg ) != 0 || hard < -1 ) {
                                                return( 1 );
                                        }
+
+                                       if ( hard == -1 ) {
+                                               /* FIXME: use "unlimited" instead */
+                                       }
+
+                                       if ( hard == 0 ) {
+                                               /* FIXME: use "soft" instead */
+                                       }
+
+                                       limit->lms_s_hard = hard;
                                }
                                
-                       } else if ( strncasecmp( arg, "unchecked", STRLENOF( "unchecked" ) ) == 0 ) {
-                               arg += 9;
-                               if ( arg[0] != '=' ) {
-                                       return( 1 );
-                               }
-                               arg++;
-                               if ( strcasecmp( arg, "none" ) == 0 ) {
+                       } else if ( strncasecmp( arg, "unchecked=", STRLENOF( "unchecked=" ) ) == 0 ) {
+                               arg += STRLENOF( "unchecked=" );
+                               if ( strcasecmp( arg, "unlimited" ) == 0 || strcasecmp( arg, "none" ) == 0 ) {
                                        limit->lms_s_unchecked = -1;
+
+                               } else if ( strcasecmp( arg, "disabled" ) == 0 ) {
+                                       limit->lms_s_unchecked = 0;
+
                                } else {
-                                       char    *next = NULL;
+                                       int     unchecked;
 
-                                       limit->lms_s_unchecked = 
-                                               strtol( arg, &next, 10 );
-                                       if ( next == arg || limit->lms_s_unchecked < -1 ) {
+                                       if ( lutil_atoi( &unchecked, arg ) != 0 || unchecked < -1 ) {
                                                return( 1 );
                                        }
+
+                                       if ( unchecked == -1 ) {
+                                               /*  FIXME: use "unlimited" instead */
+                                       }
+
+                                       limit->lms_s_unchecked = unchecked;
                                }
 
                        } else if ( strncasecmp( arg, "pr=", STRLENOF( "pr=" ) ) == 0 ) {
@@ -731,24 +788,51 @@ limits_parse_one(
                                if ( strcasecmp( arg, "noEstimate" ) == 0 ) {
                                        limit->lms_s_pr_hide = 1;
 
+                               } else if ( strcasecmp( arg, "unlimited" ) == 0 || strcasecmp( arg, "none" ) == 0 ) {
+                                       limit->lms_s_pr = -1;
+
                                } else {
-                                       char    *next = NULL;
+                                       int     pr;
 
-                                       limit->lms_s_pr = 
-                                               strtol( arg, &next, 10 );
-                                       if ( next == arg || limit->lms_s_pr < -1 ) {
+                                       if ( lutil_atoi( &pr, arg ) != 0 || pr < -1 ) {
                                                return( 1 );
                                        }
+
+                                       if ( pr == -1 ) {
+                                               /* FIXME: use "unlimited" instead */
+                                       }
+
+                                       limit->lms_s_pr = pr;
                                }
 
                        } else if ( strncasecmp( arg, "prtotal=", STRLENOF( "prtotal=" ) ) == 0 ) {
-                               char    *next = NULL;
-
                                arg += STRLENOF( "prtotal=" );
 
-                               limit->lms_s_pr_total = strtol( arg, &next, 10 );
-                               if ( next == arg || limit->lms_s_pr_total < -1 ) {
-                                       return( 1 );
+                               if ( strcasecmp( arg, "unlimited" ) == 0 || strcasecmp( arg, "none" ) == 0 ) {
+                                       limit->lms_s_pr_total = -1;
+
+                               } else if ( strcasecmp( arg, "disabled" ) == 0 ) {
+                                       limit->lms_s_pr_total = -2;
+
+                               } else if ( strcasecmp( arg, "hard" ) == 0 ) {
+                                       limit->lms_s_pr_total = 0;
+
+                               } else {
+                                       int     total;
+
+                                       if ( lutil_atoi( &total, arg ) != 0 || total < -1 ) {
+                                               return( 1 );
+                                       }
+
+                                       if ( total == -1 ) {
+                                               /* FIXME: use "unlimited" instead */
+                                       }
+
+                                       if ( total == 0 ) {
+                                               /* FIXME: use "pr=disable" instead */
+                                       }
+
+                                       limit->lms_s_pr_total = total;
                                }
 
                        } else {
@@ -757,13 +841,13 @@ limits_parse_one(
                        
                } else if ( arg[0] == '=' ) {
                        arg++;
-                       if ( strcasecmp( arg, "none" ) == 0 ) {
+                       if ( strcasecmp( arg, "unlimited" ) == 0 || strcasecmp( arg, "none" ) == 0 ) {
                                limit->lms_s_soft = -1;
-                       } else {
-                               char    *next = NULL;
 
-                               limit->lms_s_soft = strtol( arg, &next, 10 );
-                               if ( next == arg || limit->lms_s_soft < -1 ) {
+                       } else {
+                               if ( lutil_atoi( &limit->lms_s_soft, arg ) != 0
+                                       || limit->lms_s_soft < -1 )
+                               {
                                        return( 1 );
                                }
                        }
@@ -777,25 +861,209 @@ limits_parse_one(
        return 0;
 }
 
+static const char *lmpats[] = {
+       "base",
+       "base",
+       "onelevel",
+       "subtree",
+       "children",
+       "regex",
+       "anonymous",
+       "users",
+       "*"
+};
+
+/* Caller must provide an adequately sized buffer in bv */
+void
+limits_unparse( struct slap_limits *lim, struct berval *bv )
+{
+       struct berval btmp;
+       char *ptr;
+       int lm;
+
+       if ( !bv || !bv->bv_val ) return;
+
+       ptr = bv->bv_val;
+
+       if (( lim->lm_flags & SLAP_LIMITS_TYPE_MASK ) == SLAP_LIMITS_TYPE_GROUP ) {
+               ptr = lutil_strcopy( ptr, "group/" );
+               ptr = lutil_strcopy( ptr, lim->lm_group_oc->soc_cname.bv_val );
+               *ptr++ = '/';
+               ptr = lutil_strcopy( ptr, lim->lm_group_ad->ad_cname.bv_val );
+               ptr = lutil_strcopy( ptr, "=\"" );
+               ptr = lutil_strcopy( ptr, lim->lm_pat.bv_val );
+               *ptr++ = '"';
+       } else {
+               lm = lim->lm_flags & SLAP_LIMITS_MASK;
+               switch( lm ) {
+               case SLAP_LIMITS_ANONYMOUS:
+               case SLAP_LIMITS_USERS:
+               case SLAP_LIMITS_ANY:
+                       ptr = lutil_strcopy( ptr, lmpats[lm] );
+                       break;
+               case SLAP_LIMITS_UNDEFINED:
+               case SLAP_LIMITS_EXACT:
+               case SLAP_LIMITS_ONE:
+               case SLAP_LIMITS_SUBTREE:
+               case SLAP_LIMITS_CHILDREN:
+               case SLAP_LIMITS_REGEX:
+                       ptr = lutil_strcopy( ptr, "dn." );
+                       ptr = lutil_strcopy( ptr, lmpats[lm] );
+                       *ptr++ = '=';
+                       *ptr++ = '"';
+                       ptr = lutil_strcopy( ptr, lim->lm_pat.bv_val );
+                       *ptr++ = '"';
+                       break;
+               }
+       }
+       *ptr++ = ' ';
+       bv->bv_len = ptr - bv->bv_val;
+       btmp.bv_val = ptr;
+       btmp.bv_len = 0;
+       limits_unparse_one( &lim->lm_limits, SLAP_LIMIT_SIZE|SLAP_LIMIT_TIME, &btmp );
+       bv->bv_len += btmp.bv_len;
+}
+
+/* Caller must provide an adequately sized buffer in bv */
+void
+limits_unparse_one( struct slap_limits_set *lim, int which, struct berval *bv )
+{
+       char *ptr;
+
+       if ( !bv || !bv->bv_val ) return;
+
+       ptr = bv->bv_val;
+
+       if ( which & SLAP_LIMIT_SIZE ) {
+               if ( lim->lms_s_soft != SLAPD_DEFAULT_SIZELIMIT ) {
+
+                       /* If same as global limit, drop it */
+                       if ( lim != &frontendDB->be_def_limit &&
+                               lim->lms_s_soft == frontendDB->be_def_limit.lms_s_soft )
+                               goto s_hard;
+                       /* If there's also a hard limit, fully qualify this one */
+                       else if ( lim->lms_s_hard )
+                               ptr = lutil_strcopy( ptr, " size.soft=" );
+
+                       /* If doing both size & time, qualify this */
+                       else if ( which & SLAP_LIMIT_TIME )
+                               ptr = lutil_strcopy( ptr, " size=" );
+
+                       if ( lim->lms_s_soft == -1 )
+                               ptr = lutil_strcopy( ptr, "unlimited" );
+                       else
+                               ptr += sprintf( ptr, "%d", lim->lms_s_soft );
+                       *ptr++ = ' ';
+               }
+s_hard:
+               if ( lim->lms_s_hard ) {
+                       ptr = lutil_strcopy( ptr, " size.hard=" );
+                       if ( lim->lms_s_hard == -1 )
+                               ptr = lutil_strcopy( ptr, "unlimited" );
+                       else
+                               ptr += sprintf( ptr, "%d", lim->lms_s_hard );
+                       *ptr++ = ' ';
+               }
+               if ( lim->lms_s_unchecked != -1 ) {
+                       ptr = lutil_strcopy( ptr, " size.unchecked=" );
+                       if ( lim->lms_s_unchecked == 0 )
+                               ptr = lutil_strcopy( ptr, "disabled" );
+                       else
+                               ptr += sprintf( ptr, "%d", lim->lms_s_unchecked );
+                       *ptr++ = ' ';
+               }
+               if ( lim->lms_s_pr_hide ) {
+                       ptr = lutil_strcopy( ptr, " size.pr=noEstimate " );
+               }
+               if ( lim->lms_s_pr ) {
+                       ptr = lutil_strcopy( ptr, " size.pr=" );
+                       if ( lim->lms_s_pr == -1 )
+                               ptr = lutil_strcopy( ptr, "unlimited" );
+                       else
+                               ptr += sprintf( ptr, "%d", lim->lms_s_pr );
+                       *ptr++ = ' ';
+               }
+               if ( lim->lms_s_pr_total ) {
+                       ptr = lutil_strcopy( ptr, " size.prtotal=" );
+                       if ( lim->lms_s_pr_total == -1 )
+                               ptr = lutil_strcopy( ptr, "unlimited" );
+                       else if ( lim->lms_s_pr_total == -2 )
+                               ptr = lutil_strcopy( ptr, "disabled" );
+                       else 
+                               ptr += sprintf( ptr, "%d", lim->lms_s_pr_total );
+                       *ptr++ = ' ';
+               }
+       }
+       if ( which & SLAP_LIMIT_TIME ) {
+               if ( lim->lms_t_soft != SLAPD_DEFAULT_TIMELIMIT ) {
+
+                       /* If same as global limit, drop it */
+                       if ( lim != &frontendDB->be_def_limit &&
+                               lim->lms_t_soft == frontendDB->be_def_limit.lms_t_soft )
+                               goto t_hard;
+
+                       /* If there's also a hard limit, fully qualify this one */
+                       else if ( lim->lms_t_hard ) 
+                               ptr = lutil_strcopy( ptr, " time.soft=" );
+
+                       /* If doing both size & time, qualify this */
+                       else if ( which & SLAP_LIMIT_SIZE )
+                               ptr = lutil_strcopy( ptr, " time=" );
+
+                       if ( lim->lms_t_soft == -1 )
+                               ptr = lutil_strcopy( ptr, "unlimited" );
+                       else
+                               ptr += sprintf( ptr, "%d", lim->lms_t_soft );
+                       *ptr++ = ' ';
+               }
+t_hard:
+               if ( lim->lms_t_hard ) {
+                       ptr = lutil_strcopy( ptr, " time.hard=" );
+                       if ( lim->lms_t_hard == -1 )
+                               ptr = lutil_strcopy( ptr, "unlimited" );
+                       else
+                               ptr += sprintf( ptr, "%d", lim->lms_t_hard );
+                       *ptr++ = ' ';
+               }
+       }
+       if ( ptr != bv->bv_val ) {
+               ptr--;
+               *ptr = '\0';
+               bv->bv_len = ptr - bv->bv_val;
+       }
+}
 
 int
 limits_check( Operation *op, SlapReply *rs )
 {
-       assert( op );
-       assert( rs );
+       assert( op != NULL );
+       assert( rs != NULL );
        /* FIXME: should this be always true? */
        assert( op->o_tag == LDAP_REQ_SEARCH);
-       
+
+       /* protocol only allows 0..maxInt;
+        *
+        * internal searches:
+        * - may use SLAP_NO_LIMIT ( = -1 ) to indicate no limits;
+        * - should use slimit = N and tlimit = SLAP_NO_LIMIT to
+        *   indicate searches that should return exactly N matches,
+        *   and handle errors thru a callback (see for instance
+        *   slap_sasl_match() and slap_sasl2dn())
+        */
+       if ( op->ors_tlimit == SLAP_NO_LIMIT && op->ors_slimit == SLAP_NO_LIMIT ) {
+               return 0;
+       }
+
        /* allow root to set no limit */
        if ( be_isroot( op ) ) {
                op->ors_limit = NULL;
 
                if ( op->ors_tlimit == 0 ) {
-                       op->ors_tlimit = -1;
+                       op->ors_tlimit = SLAP_NO_LIMIT;
                }
 
                if ( op->ors_slimit == 0 ) {
-                       op->ors_slimit = -1;
+                       op->ors_slimit = SLAP_NO_LIMIT;
                }
 
        /* if not root, get appropriate limits */
@@ -805,56 +1073,247 @@ limits_check( Operation *op, SlapReply *rs )
                assert( op->ors_limit != NULL );
 
                /* if no limit is required, use soft limit */
-               if ( op->ors_tlimit <= 0 ) {
+               if ( op->ors_tlimit == 0 ) {
                        op->ors_tlimit = op->ors_limit->lms_t_soft;
 
-               /* if requested limit higher than hard limit, abort */
-               } else if ( op->ors_tlimit > op->ors_limit->lms_t_hard ) {
-                       /* no hard limit means use soft instead */
-                       if ( op->ors_limit->lms_t_hard == 0
-                                       && op->ors_limit->lms_t_soft > -1
-                                       && op->ors_tlimit > op->ors_limit->lms_t_soft ) {
-                               op->ors_tlimit = op->ors_limit->lms_t_soft;
+               /* limit required: check if legal */
+               } else {
+                       if ( op->ors_limit->lms_t_hard == 0 ) {
+                               if ( op->ors_limit->lms_t_soft > 0
+                                               && ( op->ors_tlimit > op->ors_limit->lms_t_soft ) ) {
+                                       op->ors_tlimit = op->ors_limit->lms_t_soft;
+                               }
 
-                       /* positive hard limit means abort */
                        } else if ( op->ors_limit->lms_t_hard > 0 ) {
+#ifdef ABOVE_HARD_LIMIT_IS_ERROR
+                               if ( op->ors_tlimit == SLAP_MAX_LIMIT ) {
+                                       op->ors_tlimit = op->ors_limit->lms_t_hard;
+
+                               } else if ( op->ors_tlimit > op->ors_limit->lms_t_hard ) {
+                                       /* error if exceeding hard limit */
+                                       rs->sr_err = LDAP_ADMINLIMIT_EXCEEDED;
+                                       send_ldap_result( op, rs );
+                                       rs->sr_err = LDAP_SUCCESS;
+                                       return -1;
+                               }
+#else /* ! ABOVE_HARD_LIMIT_IS_ERROR */
+                               if ( op->ors_tlimit > op->ors_limit->lms_t_hard ) {
+                                       op->ors_tlimit = op->ors_limit->lms_t_hard;
+                               }
+#endif /* ! ABOVE_HARD_LIMIT_IS_ERROR */
+                       }
+               }
+
+               /* else leave as is */
+
+               /* don't even get to backend if candidate check is disabled */
+               if ( op->ors_limit->lms_s_unchecked == 0 ) {
+                       rs->sr_err = LDAP_ADMINLIMIT_EXCEEDED;
+                       send_ldap_result( op, rs );
+                       rs->sr_err = LDAP_SUCCESS;
+                       return -1;
+               }
+
+               /* if paged results is requested */     
+               if ( get_pagedresults( op ) > SLAP_CONTROL_IGNORED ) {
+                       int     slimit = -2;
+                       int     pr_total;
+                       PagedResultsState *ps = op->o_pagedresults_state;
+
+                       /* paged results is not allowed */
+                       if ( op->ors_limit->lms_s_pr_total == -2 ) {
                                rs->sr_err = LDAP_ADMINLIMIT_EXCEEDED;
+                               rs->sr_text = "pagedResults control not allowed";
                                send_ldap_result( op, rs );
                                rs->sr_err = LDAP_SUCCESS;
+                               rs->sr_text = NULL;
                                return -1;
                        }
-       
-                       /* negative hard limit means no limit */
-               }
-       
-               /* if no limit is required, use soft limit */
-               if ( op->ors_slimit <= 0 ) {
-                       if ( get_pagedresults( op ) && op->ors_limit->lms_s_pr != 0 ) {
-                               op->ors_slimit = op->ors_limit->lms_s_pr;
+                       
+                       if ( op->ors_limit->lms_s_pr > 0 && ps->ps_size > op->ors_limit->lms_s_pr ) {
+                               rs->sr_err = LDAP_ADMINLIMIT_EXCEEDED;
+                               rs->sr_text = "illegal pagedResults page size";
+                               send_ldap_result( op, rs );
+                               rs->sr_err = LDAP_SUCCESS;
+                               rs->sr_text = NULL;
+                               return -1;
+                       }
+
+                       if ( op->ors_limit->lms_s_pr_total == 0 ) {
+                               if ( op->ors_limit->lms_s_hard == 0 ) {
+                                       pr_total = op->ors_limit->lms_s_soft;
+                               } else {
+                                       pr_total = op->ors_limit->lms_s_hard;
+                               }
                        } else {
-                               op->ors_slimit = op->ors_limit->lms_s_soft;
+                               pr_total = op->ors_limit->lms_s_pr_total;
                        }
 
-               /* if requested limit higher than hard limit, abort */
-               } else if ( op->ors_slimit > op->ors_limit->lms_s_hard ) {
-                       /* no hard limit means use soft instead */
-                       if ( op->ors_limit->lms_s_hard == 0
-                                       && op->ors_limit->lms_s_soft > -1
-                                       && op->ors_slimit > op->ors_limit->lms_s_soft ) {
-                               op->ors_slimit = op->ors_limit->lms_s_soft;
+                       if ( pr_total == -1 ) {
+                               if ( op->ors_slimit == 0 || op->ors_slimit == SLAP_MAX_LIMIT ) {
+                                       slimit = -1;
 
-                       /* positive hard limit means abort */
-                       } else if ( op->ors_limit->lms_s_hard > 0 ) {
+                               } else {
+                                       slimit = op->ors_slimit - ps->ps_count;
+                               }
+
+#ifdef ABOVE_HARD_LIMIT_IS_ERROR
+                       } else if ( pr_total > 0 && op->ors_slimit != SLAP_MAX_LIMIT
+                                       && ( op->ors_slimit == SLAP_NO_LIMIT || op->ors_slimit > pr_total ) )
+                       {
                                rs->sr_err = LDAP_ADMINLIMIT_EXCEEDED;
                                send_ldap_result( op, rs );
-                               rs->sr_err = LDAP_SUCCESS;      
+                               rs->sr_err = LDAP_SUCCESS;
                                return -1;
+#endif /* ! ABOVE_HARD_LIMIT_IS_ERROR */
+       
+                       } else {
+                               /* if no limit is required, use soft limit */
+                               int     total;
+                               int     slimit2;
+
+                               /* first round of pagedResults: set count to any appropriate limit */
+
+                               /* if the limit is set, check that it does not violate any server-side limit */
+#ifdef ABOVE_HARD_LIMIT_IS_ERROR
+                               if ( op->ors_slimit == SLAP_MAX_LIMIT ) {
+                                       slimit2 = op->ors_slimit = pr_total;
+#else /* ! ABOVE_HARD_LIMIT_IS_ERROR */
+                               if ( op->ors_slimit == SLAP_MAX_LIMIT || op->ors_slimit > pr_total ) {
+                                       slimit2 = op->ors_slimit = pr_total;
+#endif /* ! ABOVE_HARD_LIMIT_IS_ERROR */
+
+                               } else if ( op->ors_slimit == 0 ) {
+                                       slimit2 = pr_total;
+
+                               } else {
+                                       slimit2 = op->ors_slimit;
+                               }
+
+                               total = slimit2 - ps->ps_count;
+
+                               if ( total >= 0 ) {
+                                       if ( op->ors_limit->lms_s_pr > 0 ) {
+                                               /* use the smallest limit set by total/per page */
+                                               if ( total < op->ors_limit->lms_s_pr ) {
+                                                       slimit = total;
+       
+                                               } else {
+                                                       /* use the perpage limit if any 
+                                                        * NOTE: + 1 because the given value must be legal */
+                                                       slimit = op->ors_limit->lms_s_pr + 1;
+                                               }
+
+                                       } else {
+                                               /* use the total limit if any */
+                                               slimit = total;
+                                       }
+
+                               } else if ( op->ors_limit->lms_s_pr > 0 ) {
+                                       /* use the perpage limit if any 
+                                        * NOTE: + 1 because the given value must be legal */
+                                       slimit = op->ors_limit->lms_s_pr + 1;
+
+                               } else {
+                                       /* use the standard hard/soft limit if any */
+                                       slimit = op->ors_limit->lms_s_hard;
+                               }
                        }
                
-                       /* negative hard limit means no limit */
+                       /* if got any limit, use it */
+                       if ( slimit != -2 ) {
+                               if ( op->ors_slimit == 0 ) {
+                                       op->ors_slimit = slimit;
+
+                               } else if ( slimit > 0 ) {
+                                       if ( op->ors_slimit - ps->ps_count > slimit ) {
+                                               rs->sr_err = LDAP_ADMINLIMIT_EXCEEDED;
+                                               send_ldap_result( op, rs );
+                                               rs->sr_err = LDAP_SUCCESS;
+                                               return -1;
+                                       }
+                                       op->ors_slimit = slimit;
+
+                               } else if ( slimit == 0 ) {
+                                       op->ors_slimit = 0;
+                               }
+
+                       } else {
+                               /* use the standard hard/soft limit if any */
+                               op->ors_slimit = pr_total;
+                       }
+
+               /* no limit requested: use soft, whatever it is */
+               } else if ( op->ors_slimit == 0 ) {
+                       op->ors_slimit = op->ors_limit->lms_s_soft;
+
+               /* limit requested: check if legal */
+               } else {
+                       /* hard limit as soft (traditional behavior) */
+                       if ( op->ors_limit->lms_s_hard == 0 ) {
+                               if ( op->ors_limit->lms_s_soft > 0
+                                               && op->ors_slimit > op->ors_limit->lms_s_soft ) {
+                                       op->ors_slimit = op->ors_limit->lms_s_soft;
+                               }
+
+                       /* explicit hard limit: error if violated */
+                       } else if ( op->ors_limit->lms_s_hard > 0 ) {
+#ifdef ABOVE_HARD_LIMIT_IS_ERROR
+                               if ( op->ors_slimit == SLAP_MAX_LIMIT ) {
+                                       op->ors_slimit = op->ors_limit->lms_s_hard;
+
+                               } else if ( op->ors_slimit > op->ors_limit->lms_s_hard ) {
+                                       /* if limit exceeds hard, error */
+                                       rs->sr_err = LDAP_ADMINLIMIT_EXCEEDED;
+                                       send_ldap_result( op, rs );
+                                       rs->sr_err = LDAP_SUCCESS;
+                                       return -1;
+                               }
+#else /* ! ABOVE_HARD_LIMIT_IS_ERROR */
+                               if ( op->ors_slimit > op->ors_limit->lms_s_hard ) {
+                                       op->ors_slimit = op->ors_limit->lms_s_hard;
+                               }
+#endif /* ! ABOVE_HARD_LIMIT_IS_ERROR */
+                       }
                }
+
+               /* else leave as is */
        }
 
        return 0;
 }
 
+void
+limits_destroy( 
+       struct slap_limits      **lm )
+{
+       int             i;
+
+       if ( lm == NULL ) {
+               return;
+       }
+
+       for ( i = 0; lm[ i ]; i++ ) {
+               switch ( lm[ i ]->lm_flags & SLAP_LIMITS_MASK ) {
+               case SLAP_LIMITS_REGEX:
+                       regfree( &lm[ i ]->lm_regex );
+                       break;
+
+               case SLAP_LIMITS_EXACT:
+               case SLAP_LIMITS_ONE:
+               case SLAP_LIMITS_SUBTREE:
+               case SLAP_LIMITS_CHILDREN:
+                       if ( !BER_BVISNULL( &lm[ i ]->lm_pat ) ) {
+                               ch_free( lm[ i ]->lm_pat.bv_val );
+                       }
+                       break;
+
+               default:
+                       break;
+               }
+
+               ch_free( lm[ i ] );
+       }
+
+       ch_free( lm );
+}
Cloned from git://git.openldap.org/openldap.git