|
|
@@ -2807,16 +2807,16 @@ acl__TestRights(Acl_PBlock *aclpb,int access, const char **right, const char **
|
|
|
|
|
|
if (access & ( SLAPI_ACL_SEARCH | SLAPI_ACL_READ)) {
|
|
|
|
|
|
- /* We can not reused results obtained on a other entry */
|
|
|
- if (aci->aci_type & ACI_CACHE_RESULT_PER_ENTRY) {
|
|
|
- aclpb->aclpb_state |= ACLPB_CACHE_RESULT_PER_ENTRY_SKIP;
|
|
|
- }
|
|
|
+ /* We can not reused results obtained on a other entry */
|
|
|
+ if (aci->aci_type & ACI_CACHE_RESULT_PER_ENTRY) {
|
|
|
+ aclpb->aclpb_state |= ACLPB_CACHE_RESULT_PER_ENTRY_SKIP;
|
|
|
+ }
|
|
|
|
|
|
/*
|
|
|
* aclpb->aclpb_cache_result[0..aclpb->aclpb_last_cache_result] is
|
|
|
* a cache of info about whether applicable acis
|
|
|
* allowed, did_not_allow or denied access
|
|
|
- */
|
|
|
+ */
|
|
|
for (j =0; j < aclpb->aclpb_last_cache_result; j++) {
|
|
|
if (index == aclpb->aclpb_cache_result[j].aci_index) {
|
|
|
short result;
|
|
|
@@ -2919,15 +2919,28 @@ acl__TestRights(Acl_PBlock *aclpb,int access, const char **right, const char **
|
|
|
|
|
|
if ( j < aclpb->aclpb_last_cache_result) {
|
|
|
/* already in cache */
|
|
|
+ aclpb->aclpb_cache_result[j].result &= ~ACLPB_CACHE_ERROR_REPORTED;
|
|
|
} else if ( j < aclpb_max_cache_results ) {
|
|
|
/* j == aclpb->aclpb_last_cache_result &&
|
|
|
j < ACLPB_MAX_CACHE_RESULTS */
|
|
|
aclpb->aclpb_last_cache_result++;
|
|
|
aclpb->aclpb_cache_result[j].aci_index = index;
|
|
|
aclpb->aclpb_cache_result[j].aci_ruleType = aci->aci_ruleType;
|
|
|
-
|
|
|
+ aclpb->aclpb_cache_result[j].result &= ~ACLPB_CACHE_ERROR_REPORTED;
|
|
|
} else { /* cache overflow */
|
|
|
- if ( rights_rv == ACL_RES_DENY) {
|
|
|
+ if (!(aclpb->aclpb_cache_result[j].result &
|
|
|
+ ACLPB_CACHE_ERROR_REPORTED)) {
|
|
|
+ slapi_log_error (SLAPI_LOG_FATAL, "acl__TestRights",
|
|
|
+ "Your ACL cache of %d slots has overflowed. "
|
|
|
+ "This can happen when you have many ACIs. "
|
|
|
+ "This ACI evaluation requires %d slots to cache. "
|
|
|
+ "You can increase your max value by setting the attribute "
|
|
|
+ "%s in cn=ACL Plugin,cn=plugins,cn=config to a value higher. "
|
|
|
+ "A server restart is required.\n",
|
|
|
+ j, aclpb_max_cache_results, ATTR_ACLPB_MAX_SELECTED_ACLS);
|
|
|
+ aclpb->aclpb_cache_result[j].result |= ACLPB_CACHE_ERROR_REPORTED;
|
|
|
+ }
|
|
|
+ if (rights_rv == ACL_RES_DENY) {
|
|
|
result_reason->deciding_aci = aci;
|
|
|
result_reason->reason = ACL_REASON_EVALUATED_DENY;
|
|
|
TNF_PROBE_1_DEBUG(acl__TestRights_end,"ACL","",
|
|
|
@@ -2986,8 +2999,7 @@ acl__TestRights(Acl_PBlock *aclpb,int access, const char **right, const char **
|
|
|
return ACL_RES_DENY;
|
|
|
}
|
|
|
}
|
|
|
- }
|
|
|
-
|
|
|
+ } /* for (i=0, k=0; i < numHandles && k < aclpb->aclpb_num_deny_handles; ++i) */
|
|
|
|
|
|
/*
|
|
|
** START PROCESSING ALLOW HANDLES.
|
|
|
@@ -3023,10 +3035,10 @@ acl__TestRights(Acl_PBlock *aclpb,int access, const char **right, const char **
|
|
|
|
|
|
if (access & ( SLAPI_ACL_SEARCH | SLAPI_ACL_READ)) {
|
|
|
|
|
|
- /* We can not reused results obtained on a other entry */
|
|
|
- if (aci->aci_type & ACI_CACHE_RESULT_PER_ENTRY) {
|
|
|
- aclpb->aclpb_state |= ACLPB_CACHE_RESULT_PER_ENTRY_SKIP;
|
|
|
- }
|
|
|
+ /* We can not reused results obtained on a other entry */
|
|
|
+ if (aci->aci_type & ACI_CACHE_RESULT_PER_ENTRY) {
|
|
|
+ aclpb->aclpb_state |= ACLPB_CACHE_RESULT_PER_ENTRY_SKIP;
|
|
|
+ }
|
|
|
/*
|
|
|
* aclpb->aclpb_cache_result[0..aclpb->aclpb_last_cache_result] is
|
|
|
* a cache of info about whether applicable acis
|
|
|
@@ -3198,7 +3210,7 @@ acl__TestRights(Acl_PBlock *aclpb,int access, const char **right, const char **
|
|
|
return ACL_RES_ALLOW;
|
|
|
}
|
|
|
}
|
|
|
- }/* for */
|
|
|
+ } /* for (i=0, k=0; i < numHandles && k < aclpb->aclpb_num_allow_handles ; ++i) { */
|
|
|
result_reason->deciding_aci = aci;
|
|
|
result_reason->reason = ACL_REASON_NO_MATCHED_SUBJECT_ALLOWS;
|
|
|
|
Noriko Hosoi