[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem with searches on unindexed attributes



Pierangelo Masarati wrote:

Hi,

Here is my problem...

When I do an anonymous search on an unindexed attribute, the load on my
server goes way up (a slapd process takes all the cpu).  Turning on
heavy logging, I was able to see that this process actually goes through
all of our 40,000 records and checks if "anonymous" can perform a
search  operation on this attribute for this record (which he can't
because we  block pretty much everything to "anonymous" in our ACLs).
Of course,  doing this takes a lot of time.  If I do the same thing on
an indexed  attribute, it only goes through a few records instead of all
of them  (which is correct).

Currently, this is only a minor problem since only a few trusted servers
can communicate with our ldap server and we simply don't perform
searches on unindexed attributes.  However, this will change soon and we
don't want somebody to put the server down by sending a bunch of
anonymous searches on unindexed attributes.

Of course, building indexes on all the attributes would solve the
problem.  However, I already have indexes for all the attributes on
which I want to allow searches (my ACLs block searches on all the other
attributes anyway) and don't really need more (I've got a lot of
unindexed attributes).

Is there any way to completely disable searches on an attribute? Any
way to make the process return without going through all the records?



You can use search limits by setting a low limit on filter candidates for anonymous searches. This is available since 2.1; unfortunately you don't state what version of the software you're using ...

p.


Thanks!  This should do just fine (we are using 2.1.22).