|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Victor.Duchovni
morganstanley.com
Date: Sat Mar 01 2003 - 00:42:19 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
- Support OpenLDAP 2.1.13 by dropping support for the LDAP cache.
- Support for "ldapsource_recursion_limit", to deal with circularly nested
DN references, or circular LDAP URL searches.
- Support for "ldapsource_expansion_limit", to allow one to limit the
number of returned (comma separated) lookup results, useful values are
1000 (default) and 1 (for 1-to-1 maps).
- Support for "ldapsource_size_limit", to set an *entry* limit on
individual LDAP queries performed during the possibly recursive (via DN
and/or LDAP URL references) lookup. This defaults to the expansion limit,
but is not identical to it. It limits waste of server resources on
unexpectedly large query results.
- When debugging there is now a recursion counter in the special
attribute expansion code, which makes the verbose messages more
comprehensible.
- An NON-LDAP typo fix for FILTER_README.
--
Viktor.
Index: README_FILES/FILTER_README
*** README_FILES/FILTER_README 2003/01/24 20:03:27 1.1.1.10
--- README_FILES/FILTER_README 2003/02/26 20:37:28
***************
*** 343,351 ****
# cleanup service (defined further below).
#
smtp inet n - n - - smtpd
! -o cleanup_service=pre-cleanup
pickup fifo n - n 60 1 pickup
! -o cleanup_service=pre-cleanup
#
# ------------------------------------------------------------------
#
--- 343,351 ----
# cleanup service (defined further below).
#
smtp inet n - n - - smtpd
! -o cleanup_service_name=pre-cleanup
pickup fifo n - n 60 1 pickup
! -o cleanup_service_name=pre-cleanup
#
# ------------------------------------------------------------------
#
Index: README_FILES/LDAP_README
*** README_FILES/LDAP_README 2002/11/17 02:50:05 1.1.1.5
--- README_FILES/LDAP_README 2003/03/01 06:09:12
***************
*** 155,169 ****
--- 155,203 ----
ldapsource_bind_pw = postfixpw
cache (no)
+ IGNORED: NO LONGER SUPPORTED by Postfix and OpenLDAP 2.1.13.
Whether to use a client-side cache for the LDAP connection. See
ldap_enable_cache(3). It's off by default.
cache_expiry (30 seconds)
+ IGNORED: NO LONGER SUPPORTED by Postfix and OpenLDAP 2.1.13.
If the client-side cache is enabled, cached results will expire
after this many seconds.
cache_size (32768 bytes)
+ IGNORED: NO LONGER SUPPORTED by Postfix and OpenLDAP 2.1.13.
If the client-side cache is enabled, this is its size in bytes.
+
+ recursion_limit (1000)
+ A limit on the recursion depth of special_result_attribute
+ expansion. Without this limit a self referential (or other
+ cyclic) DN or LDAP URL can cause the lookup to enter an
+ infinite loop. A positive limit must be set, 0 is not accepted,
+ and does not turn off recursion limits. This has no effect when
+ DN and URL attributes (special_result_attribute) are not used.
+
+ expansion_limit (1000)
+ A limit on the total number of result elements returned (as a
+ comma separated list) by a query against the map. The lookup
+ fails with a temporary error if the limit is exceeded. This is
+ useful to prevent runaway queries, and to ensure that queries
+ that must return at most one result, do not return multiple
+ results. A positive limit must be set, 0 is not accepted, and
+ does not turn off expansion limits. Setting the limit to 1,
+ ensures that the query does not return multiple values.
+
+ size_limit (1000)
+ A limit ( >= 1 ) on the number of LDAP entries returned by any
+ single LDAP query performed as part of the lookup. Note that DN
+ and URL references perform additional nested LDAP queries, each
+ of which is separately subject to the above limit. Note also
+ that even single matching LDAP entry can generate multiple
+ results via multiple result attributes and/or multiple-valued
+ result attributes. So while this limit helps the LDAP server
+ avoid unnecessary work in collecting unexpectedly large result
+ sets, it is only indirectly related to the result multiplicity
+ controlled by the expansion_limit. This limit is directly
+ analogous to the "-z" option of "ldapsearch".
dereference (0)
When to dereference LDAP aliases. (Note that this has nothing
Index: conf/sample-ldap.cf
*** conf/sample-ldap.cf 2002/11/17 02:50:12 1.1.1.5
--- conf/sample-ldap.cf 2003/03/01 06:20:55
***************
*** 68,86 ****
--- 68,113 ----
#
#ldap_bind_pw =
+ # IGNORED: NO LONGER SUPPORTED by Postfix and OpenLDAP 2.1.13.
# The ldap_cache parameter specifies whether or not to turn on client-side
# caching.
#
#ldap_cache = no
+ # IGNORED: NO LONGER SUPPORTED by Postfix and OpenLDAP 2.1.13.
# The ldap_cache_expiry parameter specifies how many seconds to cache results
# for (if ldap_cache=yes)
#
#ldap_cache_expiry = 30
+ # IGNORED: NO LONGER SUPPORTED by Postfix and OpenLDAP 2.1.13.
# The ldap_cache_size parameter specifies the cache size, in bytes.
#
#ldap_cache_size = 32768
+
+ # The ldap_recursion_limit parameter specifies a limit on the nesting
+ # depth of DN and URL special result attribute evaluation. The limit
+ # must be a non-zero positive number. The default value is 1000.
+ #
+ #ldap_recursion_limit = 1000
+
+ # The ldap_expansion_limit parameter specifies a limit on the number
+ # results returned (as a comma separated list) by the map lookup. The
+ # limit must be a non-zero positive number. The default value is 1000.
+ # For lookups that must return a single value (e.g. canonical_maps), a
+ # limit of "1" (without the double-quotes) is a sensible choice.
+ #
+ #ldap_expansion_limit = 1000
+
+ # The ldap_size_limit parameter specifies a limit on the number "entries"
+ # returned the LDAP server in response to idundividual LDAP queries. (With
+ # URL references, a single lookup can involve multiple queries). The
+ # limit must be a non-zero positive number. The default value is 1000.
+ # Due to the possibility of multiple result attributes or multiple-valued
+ # result attributes, this limit is not directly related to the expansion
+ # limit above. It is analogous to the "-z" option of "ldapsearch".
+ #
+ #ldap_size_limit = 1000
# The ldap_deference parameter specifies how to handle LDAP aliases. See the
# ldap_open(3) man page.
Index: src/util/dict_ldap.c
*** src/util/dict_ldap.c 2003/02/20 21:54:42 1.1.1.12.36.1
--- src/util/dict_ldap.c 2003/03/01 06:29:37
***************
*** 57,68 ****
/* If you must bind to the server, do it with this distinguished name ...
/* .IP \fIldapsource_\fRbind_pw
/* \&... and this password.
! /* .IP \fIldapsource_\fRcache
/* Whether or not to turn on client-side caching.
! /* .IP \fIldapsource_\fRcache_expiry
/* If you do cache results, expire them after this many seconds.
! /* .IP \fIldapsource_\fRcache_size
/* The cache size in bytes. Does nothing if the cache is off, of course.
/* .IP \fIldapsource_\fRdereference
/* How to handle LDAP aliases. See ldap.h or ldap_open(3) man page.
/* .IP \fIldapsource_\fRdebuglevel
--- 57,83 ----
/* If you must bind to the server, do it with this distinguished name ...
/* .IP \fIldapsource_\fRbind_pw
/* \&... and this password.
! /* .IP \fIldapsource_\fRcache (no longer supported)
/* Whether or not to turn on client-side caching.
! /* .IP \fIldapsource_\fRcache_expiry (no longer supported)
/* If you do cache results, expire them after this many seconds.
! /* .IP \fIldapsource_\fRcache_size (no longer supported)
/* The cache size in bytes. Does nothing if the cache is off, of course.
+ /* .IP \fIldapsource_\fRrecursion_limit
+ /* Maximum recursion depth when expanding DN or URL references.
+ /* Queries which exceed the recursion limit fail with
+ /* dict_errno = DICT_ERR_RETRY.
+ /* .IP \fIldapsource_\fRexpansion_limit
+ /* Limit on the total number of lookup result values. Lookups which
+ /* exceed the limit fail with dict_errno=DICT_ERR_RETRY. Note that
+ /* each value of a multivalued result attribute counts as one result.
+ /* .IP \fIldapsource_\fRsize_limit
+ /* Limit on the number of entries returned by individual LDAP queries.
+ /* Queries which exceed the limit fail with dict_errno=DICT_ERR_RETRY.
+ /* This is an *entry* count, for any single query performed during the
+ /* possibly recursive lookup.
+ /* .IP \fIldapsource_\fRchase_referrals
+ /* Controls whether LDAP referrals are obeyed.
/* .IP \fIldapsource_\fRdereference
/* How to handle LDAP aliases. See ldap.h or ldap_open(3) man page.
/* .IP \fIldapsource_\fRdebuglevel
***************
*** 110,115 ****
--- 125,132 ----
#error "Your LDAP version is too old"
#endif
+ #define DISABLE_LDAP_CACHE /* Deprecated by OpenLDAP 2.1.X, dropped X=13 */
+
/* Handle differences between LDAP SDK's constant definitions */
#ifndef LDAP_CONST
#define LDAP_CONST const
***************
*** 152,161 ****
--- 169,183 ----
char *bind_dn;
char *bind_pw;
int timeout;
+ #ifndef DISABLE_LDAP_CACHE
int cache;
long cache_expiry;
long cache_size;
+ #endif /* DISABLE_LDAP_CACHE */
int dereference;
+ long recursion_limit;
+ long expansion_limit;
+ long size_limit;
int chase_referrals;
int debuglevel;
int version;
***************
*** 231,240 ****
--- 253,264 ----
char *myname = "dict_ldap_connect";
int rc = 0;
+ #ifndef DISABLE_LDAP_CACHE
#ifdef LDAP_API_FEATURE_X_MEMCACHE
LDAPMemCache *dircache;
#endif
+ #endif /* DISABLE_LDAP_CACHE */
#ifdef LDAP_OPT_NETWORK_TIMEOUT
struct timeval mytimeval;
***************
*** 314,319 ****
--- 338,351 ----
#endif
/*
+ * Limit the number of entries returned by each query.
+ */
+ if (ldap_set_option(dict_ldap->ld, LDAP_OPT_SIZELIMIT,
+ &dict_ldap->size_limit) != LDAP_OPT_SUCCESS)
+ msg_warn("%s: %s: Unable to set query result size limit to %ld.",
+ myname, dict_ldap->ldapsource, dict_ldap->size_limit);
+
+ /*
* Configure alias dereferencing for this connection. Thanks to Mike
* Mattice for this, and to Hery Rakotoarisoa for the v3 update.
*/
***************
*** 371,376 ****
--- 403,410 ----
myname, dict_ldap->server_host, dict_ldap->bind_dn);
}
+ #ifndef DISABLE_LDAP_CACHE
+
/*
* Set up client-side caching if it's configured.
*/
***************
*** 416,421 ****
--- 450,458 ----
#endif
}
+
+ #endif /* DISABLE_LDAP_CACHE */
+
if (msg_verbose)
msg_info("%s: Cached connection handle for LDAP source %s",
myname, dict_ldap->ldapsource);
***************
*** 426,432 ****
/*
* expand a filter (lookup or result)
*/
! static void dict_ldap_expand_filter(char *filter, char *value, VSTRING *out)
{
char *myname = "dict_ldap_expand_filter";
char *sub,
--- 463,470 ----
/*
* expand a filter (lookup or result)
*/
! static void dict_ldap_expand_filter(char *ldapsource, char *filter,
! char *value, VSTRING *out)
{
char *myname = "dict_ldap_expand_filter";
char *sub,
***************
*** 461,469 ****
vstring_strcat(out, u);
break;
default:
! msg_warn
! ("%s: Invalid filter substitution format '%%%c'!",
! myname, *(sub + 1));
/* fall through */
case 's':
vstring_strcat(out, u);
--- 499,506 ----
vstring_strcat(out, u);
break;
default:
! msg_warn("%s: %s: Invalid filter substitution format '%%%c'!",
! myname, ldapsource, *(sub + 1));
/* fall through */
case 's':
vstring_strcat(out, u);
***************
*** 486,491 ****
--- 523,532 ----
static void dict_ldap_get_values(DICT_LDAP *dict_ldap, LDAPMessage * res,
VSTRING *result)
{
+ static int recursion = 0;
+ static int expansion;
+ long entries = 0;
+ int
long i = 0;
int rc = 0;
LDAPMessage *resloop = 0;
***************
*** 500,512 ****
tv.tv_sec = dict_ldap->timeout;
tv.tv_usec = 0;
if (msg_verbose)
! msg_info("%s: Search found %d match(es)", myname,
ldap_count_entries(dict_ldap->ld, res));
for (entry = ldap_first_entry(dict_ldap->ld, res); entry != NULL;
entry = ldap_next_entry(dict_ldap->ld, entry)) {
ber = NULL;
for (attr = ldap_first_attribute(dict_ldap->ld, entry, &ber);
attr != NULL;
ldap_memfree(attr), attr = ldap_next_attribute(dict_ldap->ld,
--- 541,565 ----
tv.tv_sec = dict_ldap->timeout;
tv.tv_usec = 0;
+ if (++recursion == 1)
+ expansion = 0;
+
if (msg_verbose)
! msg_info("%s[%d]: Search found %d match(es)", myname, recursion,
ldap_count_entries(dict_ldap->ld, res));
for (entry = ldap_first_entry(dict_ldap->ld, res); entry != NULL;
entry = ldap_next_entry(dict_ldap->ld, entry)) {
ber = NULL;
+ /*
+ * LDAP should not, but may produce more than the requested maximum
+ * number of entries.
+ */
+ if (dict_errno == 0 && ++entries > dict_ldap->size_limit) {
+ msg_warn("%s[%d]: %s: Query size limit (%ld) exceeded", myname,
+ recursion, dict_ldap->ldapsource, dict_ldap->size_limit);
+ dict_errno = DICT_ERR_RETRY;
+ }
for (attr = ldap_first_attribute(dict_ldap->ld, entry, &ber);
attr != NULL;
ldap_memfree(attr), attr = ldap_next_attribute(dict_ldap->ld,
***************
*** 514,530 ****
vals = ldap_get_values(dict_ldap->ld, entry, attr);
if (vals == NULL) {
if (msg_verbose)
! msg_info("%s: Entry doesn't have any values for %s",
!
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]