Add support for separate max incoming for anonymous and authenticated

sessions (defaults: 256K and 16M respectively).

doc/man/man5/slapd.conf.5

@@ -425,7 +425,12 @@ Specify the maximum number of entries to return from a search operation.
 The default size limit is 500.
 .TP
 .B sockbuf_max_incoming <integer>
-Specify the maximum incoming LDAP PDU size.  The default is 262143.
+Specify the maximum incoming LDAP PDU size for anonymous sessions.
+The default is 262143.
+.TP
+.B sockbuf_max_incoming_auth <integer>
+Specify the maximum incoming LDAP PDU size for authenticated sessions.
+The default is 4194303.
 .TP
 .B srvtab <filename>
 Specify the srvtab file in which the kerberos keys necessary for

servers/slapd/bind.c

@@ -280,10 +280,18 @@ do_bind(
 			conn->c_authmech = conn->c_sasl_bind_mech;
 			conn->c_sasl_bind_mech = NULL;
 			conn->c_sasl_bind_in_progress = 0;
+
 			conn->c_sasl_ssf = ssf;
 			if( ssf > conn->c_ssf ) {
 				conn->c_ssf = ssf;
 			}
+
+			if( conn->c_dn != NULL ) {
+				ber_len_t max = sockbuf_max_incoming;
+				ber_sockbuf_ctrl( conn->c_sb,
+					LBER_SB_OPT_SET_MAX_INCOMING, &max );
+			}
+
 		} else if ( rc == LDAP_SASL_BIND_IN_PROGRESS ) {
 			conn->c_sasl_bind_in_progress = 1;
 
@@ -468,6 +476,12 @@ do_bind(
 				ndn = NULL;
 			}
 
+			if( conn->c_dn != NULL ) {
+				ber_len_t max = sockbuf_max_incoming;
+				ber_sockbuf_ctrl( conn->c_sb,
+					LBER_SB_OPT_SET_MAX_INCOMING, &max );
+			}
+
 #ifdef NEW_LOGGING
 			LDAP_LOG(( "operation", LDAP_LEVEL_DETAIL1,
 				   "do_bind: conn %d  v%d bind: \"%s\" to \"%s\" \n",

servers/slapd/config.c

@@ -42,6 +42,7 @@ char		*default_search_base = NULL;
 char		*default_search_nbase = NULL;
 
 ber_len_t sockbuf_max_incoming = SLAP_SB_MAX_INCOMING_DEFAULT;
+ber_len_t sockbuf_max_incoming_auth= SLAP_SB_MAX_INCOMING_AUTH;
 
 char   *slapd_pid_file  = NULL;
 char   *slapd_args_file = NULL;
@@ -278,6 +279,43 @@ read_config( const char *fname )
 
 			sockbuf_max_incoming = max;
 
+		/* set sockbuf max authenticated */
+		} else if ( strcasecmp( cargv[0], "sockbuf_max_incoming_auth" ) == 0 ) {
+			long max;
+			if ( cargc < 2 ) {
+#ifdef NEW_LOGGING
+				LDAP_LOG(( "config", LDAP_LEVEL_CRIT,
+					   "%s: line %d: missing max in \"sockbuf_max_incoming_auth <bytes>\" line\n",
+					   fname, lineno ));
+#else
+				Debug( LDAP_DEBUG_ANY,
+					   "%s: line %d: missing max in \"sockbuf_max_incoming_auth <bytes>\" line\n",
+				    fname, lineno, 0 );
+#endif
+
+				return( 1 );
+			}
+
+			max = atol( cargv[1] );
+
+			if( max < 0 ) {
+#ifdef NEW_LOGGING
+				LDAP_LOG(( "config", LDAP_LEVEL_CRIT,
+					   "%s: line %d: invalid max value (%ld) in "
+					   "\"sockbuf_max_incoming_auth <bytes>\" line.\n",
+					   fname, lineno, max ));
+#else
+				Debug( LDAP_DEBUG_ANY,
+					"%s: line %d: invalid max value (%ld) in "
+					"\"sockbuf_max_incoming_auth <bytes>\" line.\n",
+				    fname, lineno, max );
+#endif
+
+				return( 1 );
+			}
+
+			sockbuf_max_incoming_auth = max;
+
 		/* default search base */
 		} else if ( strcasecmp( cargv[0], "defaultSearchBase" ) == 0 ) {
 			if ( cargc < 2 ) {

servers/slapd/connection.c

@@ -536,6 +536,11 @@ void connection2anonymous( Connection *c )
     assert( connections != NULL );
     assert( c != NULL );
 
+	{
+		ber_len_t max = sockbuf_max_incoming;
+		ber_sockbuf_ctrl( c->c_sb, LBER_SB_OPT_SET_MAX_INCOMING, &max );
+	}
+
 	if(c->c_authmech != NULL ) {
 		free(c->c_authmech);
 		c->c_authmech = NULL;

servers/slapd/proto-slap.h

@@ -799,7 +799,10 @@ LDAP_SLAPD_F (int)	krbv4_ldap_auth();
  * Other...
  */
 #define SLAP_SB_MAX_INCOMING_DEFAULT (1<<18 - 1)
+#define SLAP_SB_MAX_INCOMING_AUTH (1<<24 - 1)
+
 LDAP_SLAPD_F (ber_len_t) sockbuf_max_incoming;
+LDAP_SLAPD_F (ber_len_t) sockbuf_max_incoming_auth;
 
 LDAP_SLAPD_F (slap_mask_t)	global_restrictops;
 LDAP_SLAPD_F (slap_mask_t)	global_allows;

servers/slapd/slap.h

@@ -58,7 +58,6 @@ LDAP_BEGIN_DECL
 
 #define MAXREMATCHES (10)
 
-#define SLAP_MAX_INCOMING (1<<18 - 1)
 #define SLAP_MAX_WORKER_THREADS		(32)
 
 #define SLAP_TEXT_BUFLEN (256)