Hello, We sometimes have enterprise applications that aggressively generate several thousand requests per second or repeatedly attempt bind operations. In the past, this caused side effects such as reaching the maximum number of open files or excessive disk usage, which could make OpenLDAP unresponsive to clients. These issues have now been resolved, but management requested further action. We are currently working on monitoring improvements based on request logs, which could also trigger protective measures if needed.
In most cases, these problems are caused by poorly developed LDAP integrations. ________________________________ De : Howard Chu <[email protected]> Envoyé : dimanche 21 septembre 2025 17:30 À : Souji Thenria <[email protected]>; BECOT Jérôme <[email protected]>; openldap-technical <[email protected]> Objet : Re: Request rate limiting ATTENTION : Cet e-mail provient de l'extérieur de l'organisation. Ne cliquez pas sur les liens et n'ouvrez pas les pièces jointes à moins que vous ne reconnaissiez l'expéditeur et que vous sachiez que le contenu est sûr. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Souji Thenria wrote: > On Fri Sep 19, 2025 at 3:53 PM CEST, BECOT Jérôme wrote: >> Hello, >> >> Is there any way to limit bind query rates or any operation rate in OpenLDAP >> or in conjunction of another proxy ? I'm curious about why you need any rate limiting. What problem are you having? >> >> Any advice appreciated Regards Jerome > > Hi Jerome, > > I'm not aware of any way to do that with OpenLDAP itself. However, it should > be possible to use some kind of proxy or your firewall to limit the number of > TCP connections per client within a specified time frame. Note, though, that > this would only limit the number of bind requests, not the number of > operations a client can perform once the connection is established. > > Regards, Souji > - -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ -----BEGIN PGP SIGNATURE----- iF0EAREKAB0WIQSUBGGam6fLX3meDqH9KnC0SrEbpwUCaNAaIQAKCRD9KnC0SrEb px0cAKCDH9PArwjLYX8qAC6JqGP2g8HJZgCfa0Ivf0zYVenPT2vIp52ojpN5RQU= =JWc6 -----END PGP SIGNATURE-----
