diff options
-rw-r--r-- | ldap/servers/slapd/bind.c | 11 | ||||
-rw-r--r-- | ldap/servers/slapd/daemon.c | 28 |
2 files changed, 36 insertions, 3 deletions
diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c index 626494bc..c22d1959 100644 --- a/ldap/servers/slapd/bind.c +++ b/ldap/servers/slapd/bind.c @@ -522,6 +522,10 @@ do_bind( Slapi_PBlock *pb ) goto free_and_return; } + /* set the bind credentials so anonymous limits are set */ + bind_credentials_set( pb->pb_conn, SLAPD_AUTH_NONE, + NULL, NULL, NULL, NULL , NULL); + /* call preop plugins */ if (plugin_call_plugins( pb, SLAPI_PLUGIN_PRE_BIND_FN ) == 0){ if ( auth_response_requested ) { @@ -698,6 +702,9 @@ do_bind( Slapi_PBlock *pb ) authtype = SLAPD_AUTH_OS; } #endif /* ENABLE_AUTOBIND */ + else { + authtype = SLAPD_AUTH_NONE; + } break; case LDAP_AUTH_SASL: /* authtype = SLAPD_AUTH_SASL && saslmech: */ @@ -719,6 +726,10 @@ do_bind( Slapi_PBlock *pb ) slapi_sdn_get_ndn(&sdn)); } } else { /* anonymous */ + /* set bind creds here so anonymous limits are set */ + bind_credentials_set( pb->pb_conn, authtype, NULL, + NULL, NULL, NULL, NULL ); + if ( auth_response_requested ) { slapi_add_auth_response_control( pb, "" ); diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c index 672a9a4d..b523138b 100644 --- a/ldap/servers/slapd/daemon.c +++ b/ldap/servers/slapd/daemon.c @@ -1300,14 +1300,36 @@ compute_idletimeout( slapdFrontendConfig_t *fecfg, Connection *conn ) if ( slapi_reslimit_get_integer_limit( conn, idletimeout_reslimit_handle, &idletimeout ) != SLAPI_RESLIMIT_STATUS_SUCCESS ) { /* - * no limit associated with binder/connection or some other error - * occurred. use the default idle timeout. + * No limit associated with binder/connection or some other error + * occurred. If the user is anonymous and anonymous limits are + * set, attempt to set the bind based resource limits. We do this + * here since a BIND operation is not required prior to other + * operations. We want to set the anonymous limits early on so + * that they are put into effect if a BIND is never sent. If + * this is not an anonymous user and no bind-based limits are set, + * use the default idle timeout. */ - if ( conn->c_isroot ) { + char *anon_dn = config_get_anon_limits_dn(); + + if ((conn->c_dn == NULL) && anon_dn && (strlen(anon_dn) > 0)) { + Slapi_DN *anon_sdn = slapi_sdn_new_dn_byref( anon_dn ); + + reslimit_update_from_dn( conn, anon_sdn ); + + if ( slapi_reslimit_get_integer_limit( conn, + idletimeout_reslimit_handle, &idletimeout ) != + SLAPI_RESLIMIT_STATUS_SUCCESS ) { + idletimeout = fecfg->idletimeout; + } + + slapi_sdn_free( &anon_sdn ); + } else if ( conn->c_isroot ) { idletimeout = 0; /* no limit for Directory Manager */ } else { idletimeout = fecfg->idletimeout; } + + slapi_ch_free_string( &anon_dn ); } return( idletimeout ); |