[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Protecting a slapd Server from Excessive Client Queries
- To: OpenLDAP-software@OpenLDAP.org
- Subject: Protecting a slapd Server from Excessive Client Queries
- From: "Ramseyer, Ken" <ken.ramseyer@lmco.com>
- Date: Wed, 08 Feb 2006 14:34:28 -0500
- Content-class: urn:content-classes:message
- Thread-index: AcYsTqhRzjrRwCsZSACLa+lMPUcOOgAljh6Q
- Thread-topic: Protecting a slapd Server from Excessive Client Queries
I am trying to protect against a client that has somehow ended up in an
infinite loop with no sleep or delay, and this client is calling
ldap_search thousands of times a second. Just one unruly or demanding
client can adversely affect service to all other clients.
Is there a way to configure slapd to prevent a single connection from
consuming less than half of the thread pool, or any other resources
(e.g., CPU, socket connections, etc.)?
Ken R.
-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Howard Chu
Sent: Tuesday, February 07, 2006 6:34 PM
To: Kurt D. Zeilenga
Cc: Ramseyer, Ken; OpenLDAP-software@OpenLDAP.org
Subject: Re: Protecting a slapd Server from Excessive Client Queries
Kurt D. Zeilenga wrote:
> At 11:27 AM 2/7/2006, Ramseyer, Ken wrote:
>
>> Can OpenLDAP (slapd) be protected from a runaway client process that
>> repeatedly calls ldap_search thousands of times a second?
>>
>
> IIRC, slapd(8) will attempt to prevent a single connection to consume
> more than half thread pool. Of course, client which consumes half the
> thread pool for even short periods of time can adversely affect
> service to other clients.
>
> Beyond this, no other slapd(8) features come to mind.
>
And of course, a moderately powerful machine can easily service
thousands of searches per second. So the other question is, what are you
really trying to protect against?
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/