[Date Prev][Date Next]
Re: Protecting a slapd Server from Excessive Client Queries
Ramseyer, Ken wrote:
I am trying to protect against a client that has somehow ended up in an
infinite loop with no sleep or delay, and this client is calling
ldap_search thousands of times a second. Just one unruly or demanding
client can adversely affect service to all other clients.
Is there a way to configure slapd to prevent a single connection from
consuming less than half of the thread pool, or any other resources
(e.g., CPU, socket connections, etc.)?
As Kurt already mentioned, nothing else comes to mind.
It would be pretty simple to write an overlay that records the IP
addresses of incoming search requests and does some form of rate
limiting on them, rejecting/failing requests once a certain number of
outstanding requests has been reached.
[mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Howard Chu
Sent: Tuesday, February 07, 2006 6:34 PM
To: Kurt D. Zeilenga
Cc: Ramseyer, Ken; OpenLDAP-software@OpenLDAP.org
Subject: Re: Protecting a slapd Server from Excessive Client Queries
Kurt D. Zeilenga wrote:
At 11:27 AM 2/7/2006, Ramseyer, Ken wrote:
Can OpenLDAP (slapd) be protected from a runaway client process that
repeatedly calls ldap_search thousands of times a second?IIRC, slapd(8) will attempt to prevent a single connection to consume
more than half thread pool. Of course, client which consumes half the
thread pool for even short periods of time can adversely affect
service to other clients.And of course, a moderately powerful machine can easily service
Beyond this, no other slapd(8) features come to mind.
thousands of searches per second. So the other question is, what are you
really trying to protect against?
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/