On Wednesday 08 February 2006 21:34, Ramseyer, Ken wrote: > I am trying to protect against a client that has somehow ended up in an > infinite loop with no sleep or delay, and this client is calling > ldap_search thousands of times a second. Just one unruly or demanding > client can adversely affect service to all other clients. If this search is on an indexed attribute, there should not be a large impact to the server in terms of being able to serve requests. 10 instances (on a client that is faster than the server) of slapd-search (from tests/progs) managed to generate a load average of ~ 3 on one of our test servers, doing in total ~ 15000 searches a second. Queries by other clients (ie manual ldapsearch) didn't seem to be affected much. I think it would take a lot of processes like this to DOS your LDAP server, if: 1)you index anything likely to be searched 2)you don't allow (any|unauthenticated) searches on attributes that aren't indexed. However, valid clients may have good reason to put reasonable load on your LDAP servers (our mail servers can easily generate > 1000 searches/sec on one LDAP server). If you *really* are being hit by a client like this, you should be able to notice it, but it shouldn't have such a great impact (on other clients), unless it is a large number of processes. Binds may take a up a bit more in terms of resources (and obviously any writes), but then it's pretty easy to bring those to an end without access to the machine doing them ... Regards, Buchan -- Buchan Milne ISP Systems Specialist B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)
Attachment:
pgpftzYv9kepi.pgp
Description: PGP signature