[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Problem with searches on unindexed attributes
> Hi,
>
> Here is my problem...
>
> When I do an anonymous search on an unindexed attribute, the load on my
> server goes way up (a slapd process takes all the cpu). Turning on
> heavy logging, I was able to see that this process actually goes through
> all of our 40,000 records and checks if "anonymous" can perform a
> search operation on this attribute for this record (which he can't
> because we block pretty much everything to "anonymous" in our ACLs).
> Of course, doing this takes a lot of time. If I do the same thing on
> an indexed attribute, it only goes through a few records instead of all
> of them (which is correct).
>
> Currently, this is only a minor problem since only a few trusted servers
> can communicate with our ldap server and we simply don't perform
> searches on unindexed attributes. However, this will change soon and we
> don't want somebody to put the server down by sending a bunch of
> anonymous searches on unindexed attributes.
>
> Of course, building indexes on all the attributes would solve the
> problem. However, I already have indexes for all the attributes on
> which I want to allow searches (my ACLs block searches on all the other
> attributes anyway) and don't really need more (I've got a lot of
> unindexed attributes).
>
> Is there any way to completely disable searches on an attribute? Any
> way to make the process return without going through all the records?
You can use search limits by setting a low limit
on filter candidates for anonymous searches. This
is available since 2.1; unfortunately you don't
state what version of the software you're using ...
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it