[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Protecting a slapd Server from Excessive Client Queries

To: "Ramseyer, Ken" <ken.ramseyer@lmco.com>
Subject: Re: Protecting a slapd Server from Excessive Client Queries
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 08 Feb 2006 15:08:47 -0800
Cc: OpenLDAP-software@OpenLDAP.org
In-reply-to: <32BA9E46B8BE584A8EEA3D355C00B6339170D3@emss09m08.us.lmco.c om>
References: <32BA9E46B8BE584A8EEA3D355C00B6339170D3@emss09m08.us.lmco.com>

One other feature which may be of interest to you is
the 'limits' slapd.conf(5) directive.

I note that, in general, it is very difficult to stop a
client from denying service, whether by normal course
of events or otherwise, to other clients.  I believe
concerns in this area are better addressed through
use of authentication (e.g., know your clients) and
monitoring for unusual and/or unexpected behaviors. 
My primary reason for this belief is my realization
that policy restrictions intended to mitigate
denial-of-service issues often have the opposite
impact in reality.

Kurt

At 11:34 AM 2/8/2006, Ramseyer, Ken wrote:
>I am trying to protect against a client that has somehow ended up in an
>infinite loop with no sleep or delay, and this client is calling
>ldap_search thousands of times a second.  Just one unruly or demanding
>client can adversely affect service to all other clients.
>
>Is there a way to configure slapd to prevent a single connection from
>consuming less than half of the thread pool, or any other resources
>(e.g., CPU, socket connections, etc.)?
>
>Ken R.
>
>-----Original Message-----
>From: owner-openldap-software@OpenLDAP.org
>[mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Howard Chu
>Sent: Tuesday, February 07, 2006 6:34 PM
>To: Kurt D. Zeilenga
>Cc: Ramseyer, Ken; OpenLDAP-software@OpenLDAP.org
>Subject: Re: Protecting a slapd Server from Excessive Client Queries
>
>Kurt D. Zeilenga wrote:
>> At 11:27 AM 2/7/2006, Ramseyer, Ken wrote:
>>   
>>> Can OpenLDAP (slapd) be protected from a runaway client process that 
>>> repeatedly calls ldap_search thousands of times a second?
>>>     
>>
>> IIRC, slapd(8) will attempt to prevent a single connection to consume 
>> more than half thread pool.  Of course, client which consumes half the
>
>> thread pool for even short periods of time can adversely affect 
>> service to other clients.
>>
>> Beyond this, no other slapd(8) features come to mind.
>>   
>And of course, a moderately powerful machine can easily service
>thousands of searches per second. So the other question is, what are you
>really trying to protect against?
>
>--
>  -- Howard Chu
>  Chief Architect, Symas Corp.  http://www.symas.com
>  Director, Highland Sun        http://highlandsun.com/hyc
>  OpenLDAP Core Team            http://www.openldap.org/project/

References:
- Protecting a slapd Server from Excessive Client Queries
  - From: "Ramseyer, Ken" <ken.ramseyer@lmco.com>

Prev by Date: 2.3.19 and memory usage
Next by Date: Re: 2.3.19 and memory usage
Index(es):
- Chronological
- Thread