One other feature which may be of interest to you is the 'limits' slapd.conf(5) directive.
I note that, in general, it is very difficult to stop a client from denying service, whether by normal course of events or otherwise, to other clients. I believe concerns in this area are better addressed through use of authentication (e.g., know your clients) and monitoring for unusual and/or unexpected behaviors. My primary reason for this belief is my realization that policy restrictions intended to mitigate denial-of-service issues often have the opposite impact in reality. Kurt At 11:34 AM 2/8/2006, Ramseyer, Ken wrote: >I am trying to protect against a client that has somehow ended up in an >infinite loop with no sleep or delay, and this client is calling >ldap_search thousands of times a second. Just one unruly or demanding >client can adversely affect service to all other clients. > >Is there a way to configure slapd to prevent a single connection from >consuming less than half of the thread pool, or any other resources >(e.g., CPU, socket connections, etc.)? > >Ken R. > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Howard Chu >Sent: Tuesday, February 07, 2006 6:34 PM >To: Kurt D. Zeilenga >Cc: Ramseyer, Ken; [email protected] >Subject: Re: Protecting a slapd Server from Excessive Client Queries > >Kurt D. Zeilenga wrote: >> At 11:27 AM 2/7/2006, Ramseyer, Ken wrote: >> >>> Can OpenLDAP (slapd) be protected from a runaway client process that >>> repeatedly calls ldap_search thousands of times a second? >>> >> >> IIRC, slapd(8) will attempt to prevent a single connection to consume >> more than half thread pool. Of course, client which consumes half the > >> thread pool for even short periods of time can adversely affect >> service to other clients. >> >> Beyond this, no other slapd(8) features come to mind. >> >And of course, a moderately powerful machine can easily service >thousands of searches per second. So the other question is, what are you >really trying to protect against? > >-- > -- Howard Chu > Chief Architect, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc > OpenLDAP Core Team http://www.openldap.org/project/
