RE: OpenLDAP 2.4.45 possible denial of service vulnerability?

[<Juergen.Sprenger@swisscom.com>]

Hi Henrik,

Many thanks for Your advice,

- Yes, we started using mdb-backend and did not use it before.
- LDAP tree is not very large, a slapcat dump has about 1.050 Million lines and less than 50'000 dn entries.
- LDAP tree contains attributes 21661 of type aliasedObjectName
- Yes, alias-dereferencing is used and set to always. Clients should not, but may do searches using "sub" instead of "one" .

I will check whether using hdb will mitigate the problem.

Jürgen

-----Original Message-----
From: Henrik Bohnenkamp [mailto:hbohnenkamp@united-internet.de] 
Sent: Mittwoch, 30. Januar 2019 12:23
To: Sprenger Jürgen, INI-ONE-CIS-SDI-HES <Juergen.Sprenger@swisscom.com>
Subject: Re: OpenLDAP 2.4.45 possible denial of service vulnerability?

On Wed, Jan 30, 2019 at 10:17:47AM +0000, Juergen.Sprenger@swisscom.com wrote:

Hi Jürgen,

if you can answer all of the following questions with "yes", you might have the problem described in ITS#8875/ITS#7657
(http://www.openldap.org/its/index.cgi/Incoming?id=8875;selectid=8875):

- with the upgrade to 2.4.45, you started to use the mdb-backend, and
  did not use it before
- your LDAP tree is large (> 1 Million entries)
- the LDAP tree contains many alias objects (> 64k )
- the clients causing the trouble make searches with scope "sub", and alias-dereferencing
  set to "always" 

That's essential the 4 conditions that lead to a problem at my organisation similar to the one you described. Workaround was to go back to the hdb backend.

Henrik




--
Henrik Bohnenkamp