httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cove...@apache.org
Subject svn commit: r1525866 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_authnz_ldap.xml modules/aaa/mod_authnz_ldap.c
Date Tue, 24 Sep 2013 12:14:57 GMT
Author: covener
Date: Tue Sep 24 12:14:57 2013
New Revision: 1525866

URL: http://svn.apache.org/r1525866
Log:
Change the default value of AuthLDAPMaxSubGroupDepth, so sub-group searching
is opt-in.  Not intended for 2.4 backport.

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml
    httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1525866&r1=1525865&r2=1525866&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Tue Sep 24 12:14:57 2013
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) mod_authnz_ldap: Change default value of AuthLDAPMaxSubGroupDepth to 0
+     to avoid performance problems when subgroups aren't in use. [Eric Covener]
+
   *) mod_syslog: New module implementing syslog ap_error_log provider.
      Previously, this code was part of core, now it's in separate module.
      [Jan Kaluza]

Modified: httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml?rev=1525866&r1=1525865&r2=1525866&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml Tue Sep 24 12:14:57 2013
@@ -1074,11 +1074,11 @@ group membership</description>
 <description>Specifies the maximum sub-group nesting depth that will be
 evaluated before the user search is discontinued.</description>
 <syntax>AuthLDAPMaxSubGroupDepth <var>Number</var></syntax>
-<default>AuthLDAPMaxSubGroupDepth 10</default>
+<default>AuthLDAPMaxSubGroupDepth 0</default>
 <contextlist><context>directory</context><context>.htaccess</context>
 </contextlist>
 <override>AuthConfig</override>
-<compatibility>Available in version 2.3.0 and later</compatibility>
+<compatibility>Available in version 2.3.0 and later, defaulted to 10 in 2.4.x and early
2.5</compatibility>
 
 <usage>
    <p>When this directive is set to a non-zero value <code>X</code>
@@ -1094,8 +1094,8 @@ evaluated before the user search is disc
    <p> When <directive>AuthLDAPSubGroupAttribute</directive> overlaps with
    <directive>AuthLDAPGroupAttribute</directive> (as it does by default and
    as required by common LDAP schemas), uncached searching for subgroups in 
-   large groups can be very slow. If you use large, non-nested groups, set 
-   <directive>AuthLDAPMaxSubGroupDepth</directive> to zero.</p>
+   large groups can be very slow. If you use large, non-nested groups, keep 
+   <directive>AuthLDAPMaxSubGroupDepth</directive> set to zero.</p>
    </note>
 
 </usage>

Modified: httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c?rev=1525866&r1=1525865&r2=1525866&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c Tue Sep 24 12:14:57 2013
@@ -348,7 +348,7 @@ static void *create_authnz_ldap_dir_conf
     sec->deref = always;
     sec->group_attrib_is_dn = 1;
     sec->secure = -1;   /*Initialize to unset*/
-    sec->maxNestingDepth = 10;
+    sec->maxNestingDepth = 0;
     sec->sgAttributes = apr_pcalloc(p, sizeof (char *) * GROUPATTR_MAX_ELTS + 1);
 
     sec->user_is_dn = 0;



Mime
View raw message