From: Eric Covener <covener@apache.org>
Date: Tue, 24 Sep 2013 12:14:57 +0000 (+0000)
Subject: Change the default value of AuthLDAPMaxSubGroupDepth, so sub-group searching
X-Git-Tag: 2.5.0-alpha~5018
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b15541f8e03a8db48fe8231cfe5d31ce56e867fc;p=apache

Change the default value of AuthLDAPMaxSubGroupDepth, so sub-group searching
is opt-in.  Not intended for 2.4 backport.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1525866 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 89018a0f86..f461135f24 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) mod_authnz_ldap: Change default value of AuthLDAPMaxSubGroupDepth to 0
+     to avoid performance problems when subgroups aren't in use. [Eric Covener]
+
   *) mod_syslog: New module implementing syslog ap_error_log provider.
      Previously, this code was part of core, now it's in separate module.
      [Jan Kaluza]
diff --git a/docs/manual/mod/mod_authnz_ldap.xml b/docs/manual/mod/mod_authnz_ldap.xml
index c3d033a124..c9d13a736e 100644
--- a/docs/manual/mod/mod_authnz_ldap.xml
+++ b/docs/manual/mod/mod_authnz_ldap.xml
@@ -1074,11 +1074,11 @@ group membership</description>
 <description>Specifies the maximum sub-group nesting depth that will be
 evaluated before the user search is discontinued.</description>
 <syntax>AuthLDAPMaxSubGroupDepth <var>Number</var></syntax>
-<default>AuthLDAPMaxSubGroupDepth 10</default>
+<default>AuthLDAPMaxSubGroupDepth 0</default>
 <contextlist><context>directory</context><context>.htaccess</context>
 </contextlist>
 <override>AuthConfig</override>
-<compatibility>Available in version 2.3.0 and later</compatibility>
+<compatibility>Available in version 2.3.0 and later, defaulted to 10 in 2.4.x and early 2.5</compatibility>
 
 <usage>
    <p>When this directive is set to a non-zero value <code>X</code>
@@ -1094,8 +1094,8 @@ evaluated before the user search is discontinued.</description>
    <p> When <directive>AuthLDAPSubGroupAttribute</directive> overlaps with
    <directive>AuthLDAPGroupAttribute</directive> (as it does by default and
    as required by common LDAP schemas), uncached searching for subgroups in 
-   large groups can be very slow. If you use large, non-nested groups, set 
-   <directive>AuthLDAPMaxSubGroupDepth</directive> to zero.</p>
+   large groups can be very slow. If you use large, non-nested groups, keep 
+   <directive>AuthLDAPMaxSubGroupDepth</directive> set to zero.</p>
    </note>
 
 </usage>
diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c
index b1c5740c5d..ed8feb3470 100644
--- a/modules/aaa/mod_authnz_ldap.c
+++ b/modules/aaa/mod_authnz_ldap.c
@@ -348,7 +348,7 @@ static void *create_authnz_ldap_dir_config(apr_pool_t *p, char *d)
     sec->deref = always;
     sec->group_attrib_is_dn = 1;
     sec->secure = -1;   /*Initialize to unset*/
-    sec->maxNestingDepth = 10;
+    sec->maxNestingDepth = 0;
     sec->sgAttributes = apr_pcalloc(p, sizeof (char *) * GROUPATTR_MAX_ELTS + 1);
 
     sec->user_is_dn = 0;