Re: Comments on draft-ietf-ldapext-trigger-01.txt

[Ian Goldsmith <ian.goldsmith@isocor.com>]

Perhaps implementors should take a note of this issue and provide some form
of "access control" to limit the use of triggered or persistent search
operations to authorized users?

Ian

-----Original Message-----
From: Tim Howes <howes@netscape.com>
To: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au>
Cc: 'ietf-ldapext@netscape.com ' <ietf-ldapext@netscape.com>
Date: Thursday, August 13, 1998 3:41 PM
Subject: Re: Comments on draft-ietf-ldapext-trigger-01.txt


>There's nothing in either the persistent search
>or triggered search protocol elements that prevent
>this, just like there's nothing in the basic LDAP
>(or X.500 for that matter) protocol elements that
>prevent 10-100 clients from making connections to
>your server and beating the hell out of it in a
>denial of service attack. Such things are handled
>by administrative limits, sensible engineering and
>configuration, audit trails, etc. Just as with any
>operation that uses server resources, servers must
>protect themsleves from having too many resources
>consumed by malicious or careless users.
>        -- Tim
>
>Alan Lloyd wrote:
>>
>>  Just a quick one - (thats not like me eh!) :-)
>> Is it possible with this feature say, for 10 -100 users to plant a
>> triggered search on every entry, say in a 100k entry DIB LDAP server and
>> for every entry update, the server has to check all 100 Users trigger
>> requirements which include their ACLs and filters.
>>
>> Sorry to be negative - but such features should be seen as totally open
>> to abuse and a massive performance slug on low end LDAP servers.
>>
>> regards alan
>> --
>
>