[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Comments on draft-ietf-ldapext-trigger-01.txt

To: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au>
Subject: Re: Comments on draft-ietf-ldapext-trigger-01.txt
From: Tim Howes <howes@netscape.com>
Date: Thu, 13 Aug 1998 15:33:30 -0700
Cc: "'ietf-ldapext@netscape.com '" <ietf-ldapext@netscape.com>
References: <D1A949D4508DD1119C8100400533BEDC0665F0@DSG1>
Resent-date: Thu, 13 Aug 1998 15:32:39 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"FnZtW3.0.pD5.5csqr"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

There's nothing in either the persistent search
or triggered search protocol elements that prevent
this, just like there's nothing in the basic LDAP
(or X.500 for that matter) protocol elements that
prevent 10-100 clients from making connections to
your server and beating the hell out of it in a
denial of service attack. Such things are handled
by administrative limits, sensible engineering and
configuration, audit trails, etc. Just as with any
operation that uses server resources, servers must
protect themsleves from having too many resources
consumed by malicious or careless users.
        -- Tim

Alan Lloyd wrote:
> 
>  Just a quick one - (thats not like me eh!) :-)
> Is it possible with this feature say, for 10 -100 users to plant a
> triggered search on every entry, say in a 100k entry DIB LDAP server and
> for every entry update, the server has to check all 100 Users trigger
> requirements which include their ACLs and filters.
> 
> Sorry to be negative - but such features should be seen as totally open
> to abuse and a massive performance slug on low end LDAP servers.
> 
> regards alan
> --

References:
- Comments on draft-ietf-ldapext-trigger-01.txt
  - From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au>

Prev by Date: RE: Authentication Methods for LDAP - last call
Next by Date: RE: Authentication Methods for LDAP - last call
Index(es):
- Chronological
- Thread