Allow size and time limits in slapd.conf for anonymous bound search operations

doc/man/man5/slapd.conf.5

@@ -158,7 +158,7 @@ feature.  The default is 0.
 Read additional configuration information from the given file before
 continuing with the next line of the current file.
 .TP
-.B limits [dn[.{exact|regex}]=]<pattern> <limit> [...]
+.B limits [dn[.{exact|regex|anonymous}]=]<pattern> <limit> [...]
 Specify time and size limits based on the distinguished name that
 initiated an operation.
 The argument
@@ -168,7 +168,10 @@ It is a distinguished name in case of
 .BR exact
 match, or an Extended Regex pattern in case of
 .BR regex
-match (the default).
+match (the default). In the case of
+.BR anonymous
+the pattern is ignored and the limits will apply to anonymously
+bound operations.
 The currently supported limits are "size" and "time".
 
 The syntax for time limits is 

servers/slapd/limits.c

@@ -30,16 +30,16 @@ get_limits(
 	 */
 	*limit = &be->be_def_limit;
 
-	/*
-	 * anonymous or no regex-based limits? 
-	 */
-	if ( be->be_limits == NULL || ndn == NULL || ndn[0] == '\0' ) {
+	if ( be->be_limits == NULL ) {
 		return( 0 );
 	}
 
 	for ( lm = be->be_limits; lm[0] != NULL; lm++ ) {
 		switch ( lm[0]->lm_type) {
 		case SLAP_LIMITS_EXACT:
+			if ( ndn == NULL || ndn[0] == '\0' ) {
+				break;
+			}
 			if ( strcmp( lm[0]->lm_dn_pat, ndn ) == 0 ) {
 				*limit = &lm[0]->lm_limits;
 				return( 0 );
@@ -47,12 +47,20 @@ get_limits(
 			break;
 
 		case SLAP_LIMITS_REGEX:
+			if ( ndn == NULL || ndn[0] == '\0' ) {
+				break;
+			}
 			if ( regexec( &lm[0]->lm_dn_regex, ndn, 0, NULL, 0 ) == 0 ) {
 				*limit = &lm[0]->lm_limits;
 				return( 0 );
 			}
 			break;
-			
+		case SLAP_LIMITS_ANONYMOUS:
+			if ( ndn == NULL || ndn[0] == '\0' ) {
+				*limit = &lm[0]->lm_limits;
+				return( 0 );
+			}
+			break;
 		default:
 			assert( 0 );	/* unreachable */
 			return( -1 );
@@ -74,7 +82,6 @@ add_limits(
 	struct slap_limits	*lm;
 	
 	assert( be );
-	assert( pattern );
 	assert( limit );
 
 	lm = ( struct slap_limits * )ch_calloc( sizeof( struct slap_limits ), 1 );
@@ -100,6 +107,10 @@ add_limits(
 			return( -1 );
 		}
 		break;
+	case SLAP_LIMITS_ANONYMOUS:
+		lm->lm_type = SLAP_LIMITS_ANONYMOUS;
+		lm->lm_dn_pat = NULL;
+		break;
 	}
 
 	lm->lm_limits = *limit;
@@ -158,7 +169,7 @@ parse_limits(
 	 * 
 	 * <pattern>:
 	 * 
-	 * [ "dn" [ "." { "exact" | "regex" } ] "=" ] <dn pattern>
+	 * [ "dn" [ "." { "exact" | "regex" | "anonymous" } ] "=" ] <dn pattern>
 	 *
 	 * 
 	 * <limit>:
@@ -179,20 +190,23 @@ parse_limits(
 			} else if ( strncasecmp( pattern, "regex", 5 ) == 0 ) {
 				type = SLAP_LIMITS_REGEX;
 				pattern += 5;
+			} else if ( strncasecmp( pattern, "anonymous", 9 ) == 0 ) {
+				type = SLAP_LIMITS_ANONYMOUS;
+				pattern = NULL;
 			}
 		}
 
-		if ( pattern[0] != '=' ) {
+		if (( type != SLAP_LIMITS_ANONYMOUS ) && ( pattern[0] != '=' )) {
 #ifdef NEW_LOGGING
 			LDAP_LOG(( "config", LDAP_LEVEL_CRIT,
 				"%s : line %d: missing '=' in "
-				"\"dn[.{exact|regex}]=<pattern>\" in "
+				"\"dn[.{exact|regex|anonymous}]=<pattern>\" in "
 				"\"limits <pattern> <limits>\" line.\n",
 			fname, lineno ));
 #else
 			Debug( LDAP_DEBUG_ANY,
 				"%s : line %d: missing '=' in "
-				"\"dn[.{exact|regex}]=<pattern>\" in "
+				"\"dn[.{exact|regex|anonymous}]=<pattern>\" in "
 				"\"limits <pattern> <limits>\" line.\n%s",
 			fname, lineno, "" );
 #endif

servers/slapd/slap.h

@@ -856,6 +856,7 @@ struct slap_limits {
 #define SLAP_LIMITS_UNDEFINED	0x0000
 #define SLAP_LIMITS_EXACT	0x0001
 #define SLAP_LIMITS_REGEX	0x0002
+#define SLAP_LIMITS_ANONYMOUS	0x0003
 	regex_t	lm_dn_regex;	/* regex-based size and time limits */
 	char   *lm_dn_pat;	/* ndn for EXACT; pattern for REGEX */
 	struct slap_limits_set	lm_limits;