Allow size and time limits in slapd.conf for anonymous bound search operations

diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index d765d3cb154c13273aa87c3bba04862e744433c9..f1df9ffb470f8f2213af67f6f2533e6fe24db343 100644 (file)
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -158,7 +158,7 @@ feature.  The default is 0.
 Read additional configuration information from the given file before
 continuing with the next line of the current file.
 .TP
-.B limits [dn[.{exact|regex}]=]<pattern> <limit> [...]
+.B limits [dn[.{exact|regex|anonymous}]=]<pattern> <limit> [...]
 Specify time and size limits based on the distinguished name that
 initiated an operation.
 The argument
@@ -168,7 +168,10 @@ It is a distinguished name in case of
 .BR exact
 match, or an Extended Regex pattern in case of
 .BR regex
-match (the default).
+match (the default). In the case of
+.BR anonymous
+the pattern is ignored and the limits will apply to anonymously
+bound operations.
 The currently supported limits are "size" and "time".
 
 The syntax for time limits is 

diff --git a/servers/slapd/limits.c b/servers/slapd/limits.c
index 614bd2cee733313b6995bb73bc63326d0a018f10..ad647a67185d269ee6518340a896a5add743d737 100644 (file)
--- a/servers/slapd/limits.c
+++ b/servers/slapd/limits.c
@@ -30,16 +30,16 @@ get_limits(
         */
        *limit = &be->be_def_limit;
 
-       /*
-        * anonymous or no regex-based limits? 
-        */
-       if ( be->be_limits == NULL || ndn == NULL || ndn[0] == '\0' ) {
+       if ( be->be_limits == NULL ) {
                return( 0 );
        }
 
        for ( lm = be->be_limits; lm[0] != NULL; lm++ ) {
                switch ( lm[0]->lm_type) {
                case SLAP_LIMITS_EXACT:
+                       if ( ndn == NULL || ndn[0] == '\0' ) {
+                               break;
+                       }
                        if ( strcmp( lm[0]->lm_dn_pat, ndn ) == 0 ) {
                                *limit = &lm[0]->lm_limits;
                                return( 0 );
@@ -47,12 +47,20 @@ get_limits(
                        break;
 
                case SLAP_LIMITS_REGEX:
+                       if ( ndn == NULL || ndn[0] == '\0' ) {
+                               break;
+                       }
                        if ( regexec( &lm[0]->lm_dn_regex, ndn, 0, NULL, 0 ) == 0 ) {
                                *limit = &lm[0]->lm_limits;
                                return( 0 );
                        }
                        break;
-                       
+               case SLAP_LIMITS_ANONYMOUS:
+                       if ( ndn == NULL || ndn[0] == '\0' ) {
+                               *limit = &lm[0]->lm_limits;
+                               return( 0 );
+                       }
+                       break;
                default:
                        assert( 0 );    /* unreachable */
                        return( -1 );
@@ -74,7 +82,6 @@ add_limits(
        struct slap_limits      *lm;
        
        assert( be );
-       assert( pattern );
        assert( limit );
 
        lm = ( struct slap_limits * )ch_calloc( sizeof( struct slap_limits ), 1 );
@@ -100,6 +107,10 @@ add_limits(
                        return( -1 );
                }
                break;
+       case SLAP_LIMITS_ANONYMOUS:
+               lm->lm_type = SLAP_LIMITS_ANONYMOUS;
+               lm->lm_dn_pat = NULL;
+               break;
        }
 
        lm->lm_limits = *limit;
@@ -158,7 +169,7 @@ parse_limits(
         * 
         * <pattern>:
         * 
-        * [ "dn" [ "." { "exact" | "regex" } ] "=" ] <dn pattern>
+        * [ "dn" [ "." { "exact" | "regex" | "anonymous" } ] "=" ] <dn pattern>
         *
         * 
         * <limit>:
@@ -179,20 +190,23 @@ parse_limits(
                        } else if ( strncasecmp( pattern, "regex", 5 ) == 0 ) {
                                type = SLAP_LIMITS_REGEX;
                                pattern += 5;
+                       } else if ( strncasecmp( pattern, "anonymous", 9 ) == 0 ) {
+                               type = SLAP_LIMITS_ANONYMOUS;
+                               pattern = NULL;
                        }
                }
 
-               if ( pattern[0] != '=' ) {
+               if (( type != SLAP_LIMITS_ANONYMOUS ) && ( pattern[0] != '=' )) {
 #ifdef NEW_LOGGING
                        LDAP_LOG(( "config", LDAP_LEVEL_CRIT,
                                "%s : line %d: missing '=' in "
-                               "\"dn[.{exact|regex}]=<pattern>\" in "
+                               "\"dn[.{exact|regex|anonymous}]=<pattern>\" in "
                                "\"limits <pattern> <limits>\" line.\n",
                        fname, lineno ));
 #else
                        Debug( LDAP_DEBUG_ANY,
                                "%s : line %d: missing '=' in "
-                               "\"dn[.{exact|regex}]=<pattern>\" in "
+                               "\"dn[.{exact|regex|anonymous}]=<pattern>\" in "
                                "\"limits <pattern> <limits>\" line.\n%s",
                        fname, lineno, "" );
 #endif

diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index 9ebe047e77c619e80cb42e009966cd3062dd1bb7..84649445e271b5acb1aaa051b1b886f11b822d7a 100644 (file)
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -856,6 +856,7 @@ struct slap_limits {
 #define SLAP_LIMITS_UNDEFINED  0x0000
 #define SLAP_LIMITS_EXACT      0x0001
 #define SLAP_LIMITS_REGEX      0x0002
+#define SLAP_LIMITS_ANONYMOUS  0x0003
        regex_t lm_dn_regex;    /* regex-based size and time limits */
        char   *lm_dn_pat;      /* ndn for EXACT; pattern for REGEX */
        struct slap_limits_set  lm_limits;