Re: Possible to block large multivalued updates

Rich Megginson <rmeggins@xxxxxxxxxx> · Thu, 21 Mar 2013 14:12:06 -0600



    On 03/21/2013 02:05 PM, Jeffrey Dunham
      wrote:

    
            I have run into a bug that is still open several times
              now causing large problems in our LDAP Service.  https://fedorahosted.org/389/ticket/346

              
            We have group updates that are very large in size (20k+
            records) and while we're specifically targeting the
            engineering group responsible, there is nothing to stop
            another group to write bad code and abuse our service.  When
            the large update occurs during replication of the group from
            our master to our search fleet we often miss SLAs on
            replication and search latency because the boxes go under
            such heavy load.

            
          Is there a way on our master servers we can block people from
          preforming such updates?  Either to discard and error on the
          write or just drop that traffic all together.  I'm open to any
          sort of suggestion this list might have to offer.

        
    You could use nsslapd-maxbersize to reject packets that are larger
    than a certain size:

    
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#cnconfig-nsslapd_maxbersize_Maximum_Message_Size

    
        -Jeff

        
      --
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
    
    
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users