[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Protecting a slapd Server from Excessive Client Queries

On Wednesday 08 February 2006 21:34, Ramseyer, Ken wrote:
> I am trying to protect against a client that has somehow ended up in an
> infinite loop with no sleep or delay, and this client is calling
> ldap_search thousands of times a second.  Just one unruly or demanding
> client can adversely affect service to all other clients.

If this search is on an indexed attribute, there should not be a large impact 
to the server in terms of being able to serve requests.

10 instances (on a client that is faster than the server) of slapd-search 
(from tests/progs) managed to generate a load average of ~ 3 on one of our 
test servers, doing in total ~ 15000 searches a second. Queries by other 
clients (ie manual ldapsearch) didn't seem to be affected much. I think it 
would take a lot of processes like this to DOS your LDAP server, if:

1)you index anything likely to be searched
2)you don't allow (any|unauthenticated) searches on attributes that aren't 

However, valid clients may have good reason to put reasonable load on your 
LDAP servers (our mail servers can easily generate > 1000 searches/sec on one 
LDAP server).

If you *really* are being hit by a client like this, you should be able to 
notice it, but it shouldn't have such a great impact (on other clients), 
unless it is a large number of processes.

Binds may take a up a bit more in terms of resources (and obviously any 
writes), but then it's pretty easy to bring those to an end without access to 
the machine doing them ...


Buchan Milne
ISP Systems Specialist

Attachment: pgpftzYv9kepi.pgp
Description: PGP signature