Allow anonymous bind resource limits to be set.

This patch adds a new config setting named nsslapd-anonlimitsdn
that one can set to the DN of an entry containing the bind-based
resource limit attributes to use for operations performed by an
anonymous user.  This allows the defaults to still be used for
all other actual bound users who do not have any user specific
resource settings.

This implementation approach allows any resource limits that
are registered via the reslimit API to work with this anonymous
limits template entry.

1 files changed, 15 insertions, 3 deletions

diff --git a/ldap/servers/slapd/pblock.c b/ldap/servers/slapd/pblock.c
index 21195ea3..da6ed8d8 100644
--- a/ldap/servers/slapd/pblock.c
+++ b/ldap/servers/slapd/pblock.c
@@ -3093,14 +3093,26 @@ bind_credentials_set_nolock( Connection *conn, char *authtype, char *normdn,
 		if ( conn->c_dn != NULL ) {
 			if ( bind_target_entry == NULL )
 			{
-				Slapi_DN	*sdn;
+				Slapi_DN        *sdn;
 
 				sdn = slapi_sdn_new_dn_byref( conn->c_dn );			/* set */
 				reslimit_update_from_dn( conn, sdn );
 				slapi_sdn_free( &sdn );
-			}
-			else
+			} else {
 				reslimit_update_from_entry( conn, bind_target_entry );	
+			}
+		} else {
+			char *anon_dn = config_get_anon_limits_dn();
+			Slapi_DN *anon_sdn = NULL;
+
+			/* If an anonymous limits dn is set, use it to set the limits. */
+			if (anon_dn && (strlen(anon_dn) > 0)) {
+				anon_sdn = slapi_sdn_new_dn_byref( anon_dn );
+				reslimit_update_from_dn( conn, anon_sdn );
+				slapi_sdn_free( &anon_sdn );
+			}
+
+			slapi_ch_free_string( &anon_dn );
 		}
 	}
 }