I would rather use time-out feature in the binding to resolve regular on-line ad-hoc query issues. For attacks, firewall or ACL is the better than building completed performance aware logic... to complicated for general purpose.
From: Marijn Meijles [mailto:firstname.lastname@example.org]
Sent: Saturday, September 23, 2000 6:44 PM
To: Booker C. Bense
Cc: Kurt D. Zeilenga; peter; Marijn Meijles; openldap-devel@OpenLDAP.org
Subject: Re: some thoughts on indexing (Was: Some openldap fixes...
> > To disallow operations which would tie up the server for huge
> > amounts of time.
> - I think this is a great idea. It's a feature that I've often
> wanted. In the years we've been running ldap in production we've
> had more than a few inadvertant DOS attacks. As ldap gains more
> and more visablity and becomes part of the authority infrastructure
> features like this are a MUST in my humble opinion. At this point
> we are so dependent on having the ldap server up that we've had
> to close the ldap server to general access.
This is easier said than done. For example, we remove wildcards from
user input before we use it in queries because otherwise it bogs down
the server. But for admin purposes it can be handy. So you would have
to make a lot of security options which you can specify per user/host.
- size and time limit per attribute
- wildcard stuff
- limit on number of threads to prevent DOS by saturation
- limit on candidate table size (been there, done that ;) )
If vegetable oil is made of vegetables, and olive oil is made of
olives, what is baby oil made of?