Bug 592389 - Set anonymous resource limits properly

The anonymous resource limits were not being properly set.  This
patch ensures that the limits are set properly when an anonymous
or unauthenticated BIND operation is performed.  It also sets the
anonymous limits when we do a read on a connection that has not
yet perfomed a BIND.  These limits will be overwritten with any
default or user-based limits once a valid BIND is performed.

2 files changed, 36 insertions, 3 deletions

diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
index 626494bc..c22d1959 100644
--- a/ldap/servers/slapd/bind.c
+++ b/ldap/servers/slapd/bind.c
@@ -522,6 +522,10 @@ do_bind( Slapi_PBlock *pb )
                 goto free_and_return;
             }
 
+            /* set the bind credentials so anonymous limits are set */
+            bind_credentials_set( pb->pb_conn, SLAPD_AUTH_NONE,
+                                      NULL, NULL, NULL, NULL , NULL);
+
             /* call preop plugins */
             if (plugin_call_plugins( pb, SLAPI_PLUGIN_PRE_BIND_FN ) == 0){
                 if ( auth_response_requested ) {
@@ -698,6 +702,9 @@ do_bind( Slapi_PBlock *pb )
                             authtype = SLAPD_AUTH_OS;
                         }
 #endif /* ENABLE_AUTOBIND */
+                        else {
+                            authtype = SLAPD_AUTH_NONE;
+                        }
                         break;
                     case LDAP_AUTH_SASL:
                         /* authtype = SLAPD_AUTH_SASL && saslmech: */
@@ -719,6 +726,10 @@ do_bind( Slapi_PBlock *pb )
                                                        slapi_sdn_get_ndn(&sdn));
                         }
                     } else {	/* anonymous */
+                        /* set bind creds here so anonymous limits are set */
+			bind_credentials_set( pb->pb_conn, authtype, NULL,
+                                              NULL, NULL, NULL, NULL );
+
                         if ( auth_response_requested ) {
                             slapi_add_auth_response_control( pb,
                                                        "" );
diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c
index 672a9a4d..b523138b 100644
--- a/ldap/servers/slapd/daemon.c
+++ b/ldap/servers/slapd/daemon.c
@@ -1300,14 +1300,36 @@ compute_idletimeout( slapdFrontendConfig_t *fecfg, Connection *conn )
 	if ( slapi_reslimit_get_integer_limit( conn, idletimeout_reslimit_handle,
             &idletimeout ) != SLAPI_RESLIMIT_STATUS_SUCCESS ) {
 		/*
-		 * no limit associated with binder/connection or some other error
-		 * occurred.  use the default idle timeout.
+		 * No limit associated with binder/connection or some other error
+		 * occurred.  If the user is anonymous and anonymous limits are
+		 * set, attempt to set the bind based resource limits.  We do this
+		 * here since a BIND operation is not required prior to other
+		 * operations.  We want to set the anonymous limits early on so
+		 * that they are put into effect if a BIND is never sent.  If
+		 * this is not an anonymous user and no bind-based limits are set,
+		 * use the default idle timeout.
 	 	 */
-		if ( conn->c_isroot ) {
+		char *anon_dn = config_get_anon_limits_dn();
+
+		if ((conn->c_dn == NULL) && anon_dn && (strlen(anon_dn) > 0)) {
+			Slapi_DN *anon_sdn = slapi_sdn_new_dn_byref( anon_dn );
+
+			reslimit_update_from_dn( conn, anon_sdn );
+
+			if ( slapi_reslimit_get_integer_limit( conn,
+			    idletimeout_reslimit_handle, &idletimeout ) !=
+			    SLAPI_RESLIMIT_STATUS_SUCCESS ) {
+				idletimeout = fecfg->idletimeout;
+			}
+
+			slapi_sdn_free( &anon_sdn );
+		} else if ( conn->c_isroot ) {
 			idletimeout = 0;	/* no limit for Directory Manager */
 		} else {
 			idletimeout = fecfg->idletimeout;
 		}
+
+		slapi_ch_free_string( &anon_dn );
 	}
 
 	return( idletimeout );