[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Protecting a slapd Server from Excessive Client Queries

To: "Ramseyer, Ken" <ken.ramseyer@lmco.com>
Subject: Re: Protecting a slapd Server from Excessive Client Queries
From: Howard Chu <hyc@symas.com>
Date: Wed, 08 Feb 2006 13:02:56 -0800
Cc: OpenLDAP-software@OpenLDAP.org
In-reply-to: <32BA9E46B8BE584A8EEA3D355C00B6339170D3@emss09m08.us.lmco.com>
References: <32BA9E46B8BE584A8EEA3D355C00B6339170D3@emss09m08.us.lmco.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060115 SeaMonkey/1.5a Mnenhy/0.7.3.0

Ramseyer, Ken wrote:

I am trying to protect against a client that has somehow ended up in an
infinite loop with no sleep or delay, and this client is calling
ldap_search thousands of times a second.  Just one unruly or demanding
client can adversely affect service to all other clients.

Is there a way to configure slapd to prevent a single connection from
consuming less than half of the thread pool, or any other resources
(e.g., CPU, socket connections, etc.)?

As Kurt already mentioned, nothing else comes to mind.

It would be pretty simple to write an overlay that records the IP addresses of incoming search requests and does some form of rate limiting on them, rejecting/failing requests once a certain number of outstanding requests has been reached.

Ken R.
-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Howard Chu
Sent: Tuesday, February 07, 2006 6:34 PM
To: Kurt D. Zeilenga
Cc: Ramseyer, Ken; OpenLDAP-software@OpenLDAP.org
Subject: Re: Protecting a slapd Server from Excessive Client Queries
Kurt D. Zeilenga wrote:
At 11:27 AM 2/7/2006, Ramseyer, Ken wrote:
Can OpenLDAP (slapd) be protected from a runaway client process that repeatedly calls ldap_search thousands of times a second?
IIRC, slapd(8) will attempt to prevent a single connection to consume more than half thread pool. Of course, client which consumes half the
thread pool for even short periods of time can adversely affect service to other clients.

Beyond this, no other slapd(8) features come to mind.
And of course, a moderately powerful machine can easily service thousands of searches per second. So the other question is, what are you really trying to protect against?

--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/

Follow-Ups:
- Re: Protecting a slapd Server from Excessive Client Queries
  - From: "John Madden" <jmadden@ivytech.edu>

References:
- Protecting a slapd Server from Excessive Client Queries
  - From: "Ramseyer, Ken" <ken.ramseyer@lmco.com>

Prev by Date: Re: Modifying schemas
Next by Date: Re: Protecting a slapd Server from Excessive Client Queries
Index(es):
- Chronological
- Thread