const struct ldb_parse_tree *tree,
enum ldb_scope scope, bool *matched);
+/*
+ check if the scope matches in a search result
+*/
+int ldb_match_scope(struct ldb_context *ldb,
+ struct ldb_dn *base,
+ struct ldb_dn *dn,
+ enum ldb_scope scope);
+
/* Reallocate elements to drop any excess capacity. */
void ldb_msg_shrink_to_fit(struct ldb_message *msg);
return LDB_ERR_OPERATIONS_ERROR;
}
- if (ldb->redact.callback != NULL) {
- ret = ldb->redact.callback(ldb->redact.module, ac->req, msg);
- if (ret != LDB_SUCCESS) {
- talloc_free(msg);
- return ret;
- }
- }
-
/*
* We trust the index for LDB_SCOPE_ONELEVEL
* unless the index key has been truncated.
*
* LDB_SCOPE_BASE is not passed in by our only caller.
*/
- if (ac->scope == LDB_SCOPE_ONELEVEL &&
- ldb_kv->cache->one_level_indexes &&
- scope_one_truncation == KEY_NOT_TRUNCATED) {
- ret = ldb_match_message(ldb, msg, ac->tree,
- ac->scope, &matched);
- } else {
- ret = ldb_match_msg_error(ldb, msg,
- ac->tree, ac->base,
- ac->scope, &matched);
+ if (ac->scope != LDB_SCOPE_ONELEVEL ||
+ !ldb_kv->cache->one_level_indexes ||
+ scope_one_truncation != KEY_NOT_TRUNCATED)
+ {
+ /*
+ * The redaction callback may be expensive to call if it
+ * fetches a security descriptor. Check the DN early and
+ * bail out if it doesn't match the base.
+ */
+ if (!ldb_match_scope(ldb, ac->base, msg->dn, ac->scope)) {
+ talloc_free(msg);
+ continue;
+ }
+ }
+
+ if (ldb->redact.callback != NULL) {
+ ret = ldb->redact.callback(ldb->redact.module, ac->req, msg);
+ if (ret != LDB_SUCCESS) {
+ talloc_free(msg);
+ return ret;
+ }
}
+ ret = ldb_match_message(ldb, msg, ac->tree,
+ ac->scope, &matched);
if (ret != LDB_SUCCESS) {
talloc_free(keys);
talloc_free(msg);
}
}
+ /*
+ * The redaction callback may be expensive to call if it fetches a
+ * security descriptor. Check the DN early and bail out if it doesn't
+ * match the base.
+ */
+ if (!ldb_match_scope(ldb, ac->base, msg->dn, ac->scope)) {
+ talloc_free(msg);
+ return 0;
+ }
+
if (ldb->redact.callback != NULL) {
ret = ldb->redact.callback(ldb->redact.module, ac->req, msg);
if (ret != LDB_SUCCESS) {
}
/* see if it matches the given expression */
- ret = ldb_match_msg_error(ldb, msg,
- ac->tree, ac->base, ac->scope, &matched);
+ ret = ldb_match_message(ldb, msg,
+ ac->tree, ac->scope, &matched);
if (ret != LDB_SUCCESS) {
talloc_free(msg);
ac->error = LDB_ERR_OPERATIONS_ERROR;