From b15541f8e03a8db48fe8231cfe5d31ce56e867fc Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Tue, 24 Sep 2013 12:14:57 +0000
Subject: [PATCH] Change the default value of AuthLDAPMaxSubGroupDepth, so
 sub-group searching is opt-in.  Not intended for 2.4 backport.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1525866 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                             | 3 +++
 docs/manual/mod/mod_authnz_ldap.xml | 8 ++++----
 modules/aaa/mod_authnz_ldap.c       | 2 +-
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index 89018a0f86..f461135f24 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) mod_authnz_ldap: Change default value of AuthLDAPMaxSubGroupDepth to 0
+     to avoid performance problems when subgroups aren't in use. [Eric Covener]
+
   *) mod_syslog: New module implementing syslog ap_error_log provider.
      Previously, this code was part of core, now it's in separate module.
      [Jan Kaluza]
diff --git a/docs/manual/mod/mod_authnz_ldap.xml b/docs/manual/mod/mod_authnz_ldap.xml
index c3d033a124..c9d13a736e 100644
--- a/docs/manual/mod/mod_authnz_ldap.xml
+++ b/docs/manual/mod/mod_authnz_ldap.xml
@@ -1074,11 +1074,11 @@ group membership</description>
 <description>Specifies the maximum sub-group nesting depth that will be
 evaluated before the user search is discontinued.</description>
 <syntax>AuthLDAPMaxSubGroupDepth <var>Number</var></syntax>
-<default>AuthLDAPMaxSubGroupDepth 10</default>
+<default>AuthLDAPMaxSubGroupDepth 0</default>
 <contextlist><context>directory</context><context>.htaccess</context>
 </contextlist>
 <override>AuthConfig</override>
-<compatibility>Available in version 2.3.0 and later</compatibility>
+<compatibility>Available in version 2.3.0 and later, defaulted to 10 in 2.4.x and early 2.5</compatibility>
 
 <usage>
    <p>When this directive is set to a non-zero value <code>X</code>
@@ -1094,8 +1094,8 @@ evaluated before the user search is discontinued.</description>
    <p> When <directive>AuthLDAPSubGroupAttribute</directive> overlaps with
    <directive>AuthLDAPGroupAttribute</directive> (as it does by default and
    as required by common LDAP schemas), uncached searching for subgroups in 
-   large groups can be very slow. If you use large, non-nested groups, set 
-   <directive>AuthLDAPMaxSubGroupDepth</directive> to zero.</p>
+   large groups can be very slow. If you use large, non-nested groups, keep 
+   <directive>AuthLDAPMaxSubGroupDepth</directive> set to zero.</p>
    </note>
 
 </usage>
diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c
index b1c5740c5d..ed8feb3470 100644
--- a/modules/aaa/mod_authnz_ldap.c
+++ b/modules/aaa/mod_authnz_ldap.c
@@ -348,7 +348,7 @@ static void *create_authnz_ldap_dir_config(apr_pool_t *p, char *d)
     sec->deref = always;
     sec->group_attrib_is_dn = 1;
     sec->secure = -1;   /*Initialize to unset*/
-    sec->maxNestingDepth = 10;
+    sec->maxNestingDepth = 0;
     sec->sgAttributes = apr_pcalloc(p, sizeof (char *) * GROUPATTR_MAX_ELTS + 1);
 
     sec->user_is_dn = 0;
-- 
2.40.0