[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Protecting a slapd Server from Excessive Client Queries

One other feature which may be of interest to you is
the 'limits' slapd.conf(5) directive.

I note that, in general, it is very difficult to stop a
client from denying service, whether by normal course
of events or otherwise, to other clients.  I believe
concerns in this area are better addressed through
use of authentication (e.g., know your clients) and
monitoring for unusual and/or unexpected behaviors. 
My primary reason for this belief is my realization
that policy restrictions intended to mitigate
denial-of-service issues often have the opposite
impact in reality.


At 11:34 AM 2/8/2006, Ramseyer, Ken wrote:
>I am trying to protect against a client that has somehow ended up in an
>infinite loop with no sleep or delay, and this client is calling
>ldap_search thousands of times a second.  Just one unruly or demanding
>client can adversely affect service to all other clients.
>Is there a way to configure slapd to prevent a single connection from
>consuming less than half of the thread pool, or any other resources
>(e.g., CPU, socket connections, etc.)?
>Ken R.
>-----Original Message-----
>From: owner-openldap-software@OpenLDAP.org
>[mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Howard Chu
>Sent: Tuesday, February 07, 2006 6:34 PM
>To: Kurt D. Zeilenga
>Cc: Ramseyer, Ken; OpenLDAP-software@OpenLDAP.org
>Subject: Re: Protecting a slapd Server from Excessive Client Queries
>Kurt D. Zeilenga wrote:
>> At 11:27 AM 2/7/2006, Ramseyer, Ken wrote:
>>> Can OpenLDAP (slapd) be protected from a runaway client process that 
>>> repeatedly calls ldap_search thousands of times a second?
>> IIRC, slapd(8) will attempt to prevent a single connection to consume 
>> more than half thread pool.  Of course, client which consumes half the
>> thread pool for even short periods of time can adversely affect 
>> service to other clients.
>> Beyond this, no other slapd(8) features come to mind.
>And of course, a moderately powerful machine can easily service
>thousands of searches per second. So the other question is, what are you
>really trying to protect against?
>  -- Howard Chu
>  Chief Architect, Symas Corp.  http://www.symas.com
>  Director, Highland Sun        http://highlandsun.com/hyc
>  OpenLDAP Core Team            http://www.openldap.org/project/