From 4a97ba3edec5a8e73252fb21b519e181625095d9 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Wed, 19 Oct 2016 15:50:15 -0400
Subject: [PATCH] Ticket 47703 - remove search limit for aci group evaluation

Bug Description:  Groups that have members that exceed the server sizelimit
                  are not fully processed, and aci evalauation fails.

Fix Description:  There should not be a sizelimit when processing aci's based
                  on group membership.

https://fedorahosted.org/389/ticket/47703

Reviewed by: ?
---
 ldap/servers/plugins/acl/acl.h     |  2 --
 ldap/servers/plugins/acl/acl_ext.c | 10 ----------
 ldap/servers/plugins/acl/acllas.c  | 11 -----------
 3 files changed, 23 deletions(-)

diff --git a/ldap/servers/plugins/acl/acl.h b/ldap/servers/plugins/acl/acl.h
index fd3b098..91f5071 100644
--- a/ldap/servers/plugins/acl/acl.h
+++ b/ldap/servers/plugins/acl/acl.h
@@ -523,8 +523,6 @@ struct acl_pblock {
 	
 	/* Keep the Group nesting level */
 	int 					aclpb_max_nesting_level;
-	int 					aclpb_max_member_sizelimit;
-
 
     /* To keep the results in the cache */
 
diff --git a/ldap/servers/plugins/acl/acl_ext.c b/ldap/servers/plugins/acl/acl_ext.c
index 19ffe43..d0fc8f5 100644
--- a/ldap/servers/plugins/acl/acl_ext.c
+++ b/ldap/servers/plugins/acl/acl_ext.c
@@ -865,16 +865,6 @@ acl_init_aclpb ( Slapi_PBlock *pb, Acl_PBlock *aclpb, const char *ndn, int copy_
 	aclg_init_userGroup ( aclpb, ndn, 0 /* get lock */ );
 
 	slapi_pblock_get( pb, SLAPI_BE_MAXNESTLEVEL, &aclpb->aclpb_max_nesting_level );
-	slapi_pblock_get( pb, SLAPI_SEARCH_SIZELIMIT, &aclpb->aclpb_max_member_sizelimit );
-	if ( aclpb->aclpb_max_member_sizelimit == 0 ) {
-		aclpb->aclpb_max_member_sizelimit = SLAPD_DEFAULT_LOOKTHROUGHLIMIT;
-	} else if ( aclpb->aclpb_max_member_sizelimit < -1 ) {
-		/* handle the case of a negtive size limit either set or due
-		 * to bug bz1065971. The member size limit should be dropped,
-		 * but for backward compatibility to the best we can
-		 */
-		aclpb->aclpb_max_member_sizelimit = -1;
-	}
 	slapi_pblock_get( pb, SLAPI_OPERATION_TYPE, &aclpb->aclpb_optype );
 
 	aclpb->aclpb_signature = acl_get_aclsignature();
diff --git a/ldap/servers/plugins/acl/acllas.c b/ldap/servers/plugins/acl/acllas.c
index 172e1a7..627f300 100644
--- a/ldap/servers/plugins/acl/acllas.c
+++ b/ldap/servers/plugins/acl/acllas.c
@@ -1977,7 +1977,6 @@ acllas__user_ismember_of_group( struct acl_pblock *aclpb,
 	int			totalMembersVisited;
 	int			numOfMembers;
 	int			max_nestlevel;
-	int			max_memberlimit;
 	aclUserGroup		*u_group;
 	struct member_info	*groupMember = NULL;
 	struct member_info 	*parentGroup = NULL;
@@ -2062,7 +2061,6 @@ acllas__user_ismember_of_group( struct acl_pblock *aclpb,
 		info.clientCert = NULL;
 	info.aclpb = aclpb;
 
-	max_memberlimit = aclpb->aclpb_max_member_sizelimit;
 	max_nestlevel = aclpb->aclpb_max_nesting_level;
 
 #ifdef FOR_DEBUGGING
@@ -2140,15 +2138,6 @@ eval_another_member:
 		goto free_and_return;
 	}
 
-	/* limit of -1 means "no limit */
-	if (info.c_idx > max_memberlimit && 
-			max_memberlimit != -1 ) {
-		slapi_log_err(SLAPI_LOG_ACL, plugin_name, 
-			"acllas__user_ismember_of_group - Looked at too many entries:(%d, %d)\n",
-				info.c_idx, info.lu_idx);
-		result = ACL_DONT_KNOW; /* don't try to cache info based on this result */
-		goto free_and_return;
-	}
 	if (info.lu_idx > info.c_idx) {
 		if (numOfMembers == (info.lu_idx - info.c_idx)) {
 			/* That means it's not a GROUP. It is just another
-- 
2.7.4