From 6eb6e4b521357fa28ed85ad58c7ecd6bd26a7a32 Mon Sep 17 00:00:00 2001 From: Nathan Kinder Date: Mon, 5 Oct 2009 15:34:12 -0700 Subject: Allow anonymous bind resource limits to be set. This patch adds a new config setting named nsslapd-anonlimitsdn that one can set to the DN of an entry containing the bind-based resource limit attributes to use for operations performed by an anonymous user. This allows the defaults to still be used for all other actual bound users who do not have any user specific resource settings. This implementation approach allows any resource limits that are registered via the reslimit API to work with this anonymous limits template entry. --- ldap/servers/slapd/libglobs.c | 34 ++++++++++++++++++++++++++++++++++ ldap/servers/slapd/pblock.c | 18 +++++++++++++++--- ldap/servers/slapd/proto-slap.h | 2 ++ ldap/servers/slapd/slap.h | 2 ++ 4 files changed, 53 insertions(+), 3 deletions(-) diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c index cd7bb5dc..3726dfd7 100644 --- a/ldap/servers/slapd/libglobs.c +++ b/ldap/servers/slapd/libglobs.c @@ -496,6 +496,9 @@ static struct config_get_and_set { NULL, 0, (void**)&global_slapdFrontendConfig.ldapi_auto_dn_suffix, CONFIG_STRING, NULL}, #endif + {CONFIG_ANON_LIMITS_DN_ATTRIBUTE, config_set_anon_limits_dn, + NULL, 0, + (void**)&global_slapdFrontendConfig.anon_limits_dn, CONFIG_STRING, NULL}, {CONFIG_SLAPI_COUNTER_ATTRIBUTE, config_set_slapi_counters, NULL, 0, (void**)&global_slapdFrontendConfig.slapi_counters, CONFIG_ON_OFF, @@ -906,6 +909,7 @@ FrontendConfig_init () { cfg->versionstring = SLAPD_VERSION_STR; cfg->sizelimit = SLAPD_DEFAULT_SIZELIMIT; cfg->timelimit = SLAPD_DEFAULT_TIMELIMIT; + cfg->anon_limits_dn = slapi_ch_strdup(""); cfg->schemacheck = LDAP_ON; cfg->syntaxcheck = LDAP_OFF; cfg->syntaxlogging = LDAP_OFF; @@ -1434,6 +1438,25 @@ int config_set_ldapi_auto_dn_suffix( const char *attrname, char *value, char *er } #endif +int config_set_anon_limits_dn( const char *attrname, char *value, char *errorbuf, int apply ) +{ + int retVal = LDAP_SUCCESS; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + + if ( config_value_is_null( attrname, value, errorbuf, 0 )) { + return LDAP_OPERATIONS_ERROR; + } + + if ( apply) { + CFG_LOCK_WRITE(slapdFrontendConfig); + + slapi_ch_free ( (void **) &(slapdFrontendConfig->anon_limits_dn) ); + slapdFrontendConfig->anon_limits_dn = slapi_ch_strdup ( value ); + CFG_UNLOCK_WRITE(slapdFrontendConfig); + } + return retVal; +} + /* * Set nsslapd-counters: on | off to the internal config variable slapi_counters. * If set to off, slapi_counters is not initialized and the counters are not @@ -3539,6 +3562,17 @@ char *config_get_ldapi_auto_dn_suffix(){ } #endif + +char *config_get_anon_limits_dn(){ + char *retVal; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + CFG_LOCK_READ(slapdFrontendConfig); + retVal = slapi_ch_strdup(slapdFrontendConfig->anon_limits_dn); + CFG_UNLOCK_READ(slapdFrontendConfig); + + return retVal; +} + int config_get_slapi_counters() { int retVal; diff --git a/ldap/servers/slapd/pblock.c b/ldap/servers/slapd/pblock.c index 21195ea3..da6ed8d8 100644 --- a/ldap/servers/slapd/pblock.c +++ b/ldap/servers/slapd/pblock.c @@ -3093,14 +3093,26 @@ bind_credentials_set_nolock( Connection *conn, char *authtype, char *normdn, if ( conn->c_dn != NULL ) { if ( bind_target_entry == NULL ) { - Slapi_DN *sdn; + Slapi_DN *sdn; sdn = slapi_sdn_new_dn_byref( conn->c_dn ); /* set */ reslimit_update_from_dn( conn, sdn ); slapi_sdn_free( &sdn ); - } - else + } else { reslimit_update_from_entry( conn, bind_target_entry ); + } + } else { + char *anon_dn = config_get_anon_limits_dn(); + Slapi_DN *anon_sdn = NULL; + + /* If an anonymous limits dn is set, use it to set the limits. */ + if (anon_dn && (strlen(anon_dn) > 0)) { + anon_sdn = slapi_sdn_new_dn_byref( anon_dn ); + reslimit_update_from_dn( conn, anon_sdn ); + slapi_sdn_free( &anon_sdn ); + } + + slapi_ch_free_string( &anon_dn ); } } } diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h index 35e5697c..b220bf00 100644 --- a/ldap/servers/slapd/proto-slap.h +++ b/ldap/servers/slapd/proto-slap.h @@ -255,6 +255,7 @@ int config_set_ldapi_search_base_dn( const char *attrname, char *value, char *er #if defined(ENABLE_AUTO_DN_SUFFIX) int config_set_ldapi_auto_dn_suffix( const char *attrname, char *value, char *errorbuf, int apply ); #endif +int config_set_anon_limits_dn( const char *attrname, char *value, char *errorbuf, int apply ); int config_set_slapi_counters( const char *attrname, char *value, char *errorbuf, int apply ); int config_set_srvtab( const char *attrname, char *value, char *errorbuf, int apply ); int config_set_sizelimit( const char *attrname, char *value, char *errorbuf, int apply ); @@ -379,6 +380,7 @@ char *config_get_ldapi_search_base_dn(); #if defined(ENABLE_AUTO_DN_SUFFIX) char *config_get_ldapi_auto_dn_suffix(); #endif +char *config_get_anon_limits_dn(); int config_get_slapi_counters(); char *config_get_srvtab(); int config_get_sizelimit(); diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h index ec030bc6..76c8df26 100644 --- a/ldap/servers/slapd/slap.h +++ b/ldap/servers/slapd/slap.h @@ -1743,6 +1743,7 @@ typedef struct _slapdEntryPoints { #define CONFIG_LDAPI_GIDNUMBER_TYPE_ATTRIBUTE "nsslapd-ldapigidnumbertype" #define CONFIG_LDAPI_SEARCH_BASE_DN_ATTRIBUTE "nsslapd-ldapientrysearchbase" #define CONFIG_LDAPI_AUTO_DN_SUFFIX_ATTRIBUTE "nsslapd-ldapiautodnsuffix" +#define CONFIG_ANON_LIMITS_DN_ATTRIBUTE "nsslapd-anonlimitsdn" #define CONFIG_SLAPI_COUNTER_ATTRIBUTE "nsslapd-counters" #define CONFIG_SECURITY_ATTRIBUTE "nsslapd-security" #define CONFIG_SSL3CIPHERS_ATTRIBUTE "nsslapd-SSL3ciphers" @@ -2024,6 +2025,7 @@ typedef struct _slapdFrontendConfig { int allow_anon_access; /* switch to enable/disable anonymous access */ int minssf; /* minimum security strength factor (for SASL and SSL/TLS) */ size_t maxsasliosize; /* limit incoming SASL IO packet size */ + char *anon_limits_dn; /* template entry for anonymous resource limits */ #ifndef _WIN32 struct passwd *localuserinfo; /* userinfo of localuser */ #endif /* _WIN32 */ -- cgit