[Date Prev][Date Next]
Re: Protecting a slapd Server from Excessive Client Queries
One other feature which may be of interest to you is
the 'limits' slapd.conf(5) directive.
I note that, in general, it is very difficult to stop a
client from denying service, whether by normal course
of events or otherwise, to other clients. I believe
concerns in this area are better addressed through
use of authentication (e.g., know your clients) and
monitoring for unusual and/or unexpected behaviors.
My primary reason for this belief is my realization
that policy restrictions intended to mitigate
denial-of-service issues often have the opposite
impact in reality.
At 11:34 AM 2/8/2006, Ramseyer, Ken wrote:
>I am trying to protect against a client that has somehow ended up in an
>infinite loop with no sleep or delay, and this client is calling
>ldap_search thousands of times a second. Just one unruly or demanding
>client can adversely affect service to all other clients.
>Is there a way to configure slapd to prevent a single connection from
>consuming less than half of the thread pool, or any other resources
>(e.g., CPU, socket connections, etc.)?
>[mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Howard Chu
>Sent: Tuesday, February 07, 2006 6:34 PM
>To: Kurt D. Zeilenga
>Cc: Ramseyer, Ken; OpenLDAP-software@OpenLDAP.org
>Subject: Re: Protecting a slapd Server from Excessive Client Queries
>Kurt D. Zeilenga wrote:
>> At 11:27 AM 2/7/2006, Ramseyer, Ken wrote:
>>> Can OpenLDAP (slapd) be protected from a runaway client process that
>>> repeatedly calls ldap_search thousands of times a second?
>> IIRC, slapd(8) will attempt to prevent a single connection to consume
>> more than half thread pool. Of course, client which consumes half the
>> thread pool for even short periods of time can adversely affect
>> service to other clients.
>> Beyond this, no other slapd(8) features come to mind.
>And of course, a moderately powerful machine can easily service
>thousands of searches per second. So the other question is, what are you
>really trying to protect against?
> -- Howard Chu
> Chief Architect, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc
> OpenLDAP Core Team http://www.openldap.org/project/