Menu
▾
▴
Re: Konking Netscape LDAP?
|
From: Booker C. B. <bb...@ne...> - 2001-01-25 19:12:59
|
On Wed, 24 Jan 2001, Jeff Mandel wrote: > I was wondering if anyone had the experience of one of their programs > knocking out a Netscape LDAP server? > > I was testing a small program that queried for mail and > mailalternateaddresses. There are not that many users in the database - > less than 500. I got a Net::IO Socket error, and then noticed the ldap > server was dead. I started it up and tried again. Still it was killed. > So I tried again on a different host and knocked that one out too. > I couldn't get any errors in the log - just the entries stating it was > recovering from a disorderly shutdown when it restarted. > > I figured there was probably an update to Net::LDAP, and used cpan to > get it. The cpan module also said that cpan itself had a later version > and I proceeded to update it. (Rather, it updated itself.) It updated > libnet and a bunch of other things, so I don't know where the culprit > might have been. After the update, no more konking out my ldap server. > But, wait... > > Good packet or bad, it seemed all to easy to kill the running instance > of slapd. I don't know if it was a bad search filter or perhaps a > malformed packet by the perl modules. Either way, it starts to feel like > the ldap server is not a stable as I expected. This on 4.11 and 4.2. > > Has anyone else experienced this? > - This is not really a perl-ldap question, but yes it's easy to kill just about any ldap server on the market. On any server based on the Umich code (i.e. netscape, openldap ), a few searches on an unindexed variable will bring the server to it's knees. - If you're depending on ldap for crucial services then you really need at least 3 servers at a minimum. And you need to think hard and long about allowing unauthenticated access. - Booker C. Bense |
