Re: Problem with searches on unindexed attributes

["Pierangelo Masarati" <ando@sys-net.it>]

> Hi,
>
> Here is my problem...
>
> When I do an anonymous search on an unindexed attribute, the load on my
> server goes way up (a slapd process takes all the cpu).  Turning on
> heavy logging, I was able to see that this process actually goes through
>  all of our 40,000 records and checks if "anonymous" can perform a
> search  operation on this attribute for this record (which he can't
> because we  block pretty much everything to "anonymous" in our ACLs).
> Of course,  doing this takes a lot of time.  If I do the same thing on
> an indexed  attribute, it only goes through a few records instead of all
> of them  (which is correct).
>
> Currently, this is only a minor problem since only a few trusted servers
>  can communicate with our ldap server and we simply don't perform
> searches on unindexed attributes.  However, this will change soon and we
>  don't want somebody to put the server down by sending a bunch of
> anonymous searches on unindexed attributes.
>
> Of course, building indexes on all the attributes would solve the
> problem.  However, I already have indexes for all the attributes on
> which I want to allow searches (my ACLs block searches on all the other
> attributes anyway) and don't really need more (I've got a lot of
> unindexed attributes).
>
> Is there any way to completely disable searches on an attribute?  Any
> way to make the process return without going through all the records?

You can use search limits by setting a low limit
on filter candidates for anonymous searches.  This
is available since 2.1; unfortunately you don't
state what version of the software you're using ...

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it