[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Protecting a slapd Server from Excessive Client Queries



Ramseyer, Ken wrote:
I am trying to protect against a client that has somehow ended up in an
infinite loop with no sleep or delay, and this client is calling
ldap_search thousands of times a second.  Just one unruly or demanding
client can adversely affect service to all other clients.

Is there a way to configure slapd to prevent a single connection from
consuming less than half of the thread pool, or any other resources
(e.g., CPU, socket connections, etc.)?

As Kurt already mentioned, nothing else comes to mind.

It would be pretty simple to write an overlay that records the IP addresses of incoming search requests and does some form of rate limiting on them, rejecting/failing requests once a certain number of outstanding requests has been reached.
Ken R.

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Howard Chu
Sent: Tuesday, February 07, 2006 6:34 PM
To: Kurt D. Zeilenga
Cc: Ramseyer, Ken; OpenLDAP-software@OpenLDAP.org
Subject: Re: Protecting a slapd Server from Excessive Client Queries

Kurt D. Zeilenga wrote:
At 11:27 AM 2/7/2006, Ramseyer, Ken wrote:
Can OpenLDAP (slapd) be protected from a runaway client process that repeatedly calls ldap_search thousands of times a second?
IIRC, slapd(8) will attempt to prevent a single connection to consume more than half thread pool. Of course, client which consumes half the

thread pool for even short periods of time can adversely affect service to other clients.

Beyond this, no other slapd(8) features come to mind.
And of course, a moderately powerful machine can easily service
thousands of searches per second. So the other question is, what are you
really trying to protect against?


--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/