Protecting a slapd Server from Excessive Client Queries

["Ramseyer, Ken" <ken.ramseyer@lmco.com>]

I am trying to protect against a client that has somehow ended up in an
infinite loop with no sleep or delay, and this client is calling
ldap_search thousands of times a second.  Just one unruly or demanding
client can adversely affect service to all other clients.

Is there a way to configure slapd to prevent a single connection from
consuming less than half of the thread pool, or any other resources
(e.g., CPU, socket connections, etc.)?

Ken R.

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Howard Chu
Sent: Tuesday, February 07, 2006 6:34 PM
To: Kurt D. Zeilenga
Cc: Ramseyer, Ken; OpenLDAP-software@OpenLDAP.org
Subject: Re: Protecting a slapd Server from Excessive Client Queries

Kurt D. Zeilenga wrote:
> At 11:27 AM 2/7/2006, Ramseyer, Ken wrote:
>   
>> Can OpenLDAP (slapd) be protected from a runaway client process that 
>> repeatedly calls ldap_search thousands of times a second?
>>     
>
> IIRC, slapd(8) will attempt to prevent a single connection to consume 
> more than half thread pool.  Of course, client which consumes half the

> thread pool for even short periods of time can adversely affect 
> service to other clients.
>
> Beyond this, no other slapd(8) features come to mind.
>   
And of course, a moderately powerful machine can easily service
thousands of searches per second. So the other question is, what are you
really trying to protect against?

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/