Hello,
Is there any way to limit bind query rates or any operation rate in OpenLDAP or in conjunction of another proxy ?
Any advice appreciated Regards Jerome
On Fri Sep 19, 2025 at 3:53 PM CEST, BECOT Jérôme wrote:
Hello,
Is there any way to limit bind query rates or any operation rate in OpenLDAP or in conjunction of another proxy ?
Any advice appreciated Regards Jerome
Hi Jerome,
I'm not aware of any way to do that with OpenLDAP itself. However, it should be possible to use some kind of proxy or your firewall to limit the number of TCP connections per client within a specified time frame. Note, though, that this would only limit the number of bind requests, not the number of operations a client can perform once the connection is established.
Regards, Souji
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Souji Thenria wrote:
On Fri Sep 19, 2025 at 3:53 PM CEST, BECOT Jérôme wrote:
Hello,
Is there any way to limit bind query rates or any operation rate in OpenLDAP or in conjunction of another proxy ?
I'm curious about why you need any rate limiting. What problem are you having?
Any advice appreciated Regards Jerome
Hi Jerome,
I'm not aware of any way to do that with OpenLDAP itself. However, it should be possible to use some kind of proxy or your firewall to limit the number of TCP connections per client within a specified time frame. Note, though, that this would only limit the number of bind requests, not the number of operations a client can perform once the connection is established.
Regards, Souji
- -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Hello,
We sometimes have enterprise applications that aggressively generate several thousand requests per second or repeatedly attempt bind operations. In the past, this caused side effects such as reaching the maximum number of open files or excessive disk usage, which could make OpenLDAP unresponsive to clients. These issues have now been resolved, but management requested further action. We are currently working on monitoring improvements based on request logs, which could also trigger protective measures if needed.
In most cases, these problems are caused by poorly developed LDAP integrations.
________________________________ De : Howard Chu hyc@symas.com Envoyé : dimanche 21 septembre 2025 17:30 À : Souji Thenria mail@souji-thenria.net; BECOT Jérôme jbecot@itsgroup.com; openldap-technical openldap-technical@openldap.org Objet : Re: Request rate limiting
ATTENTION : Cet e-mail provient de l'extérieur de l'organisation. Ne cliquez pas sur les liens et n'ouvrez pas les pièces jointes à moins que vous ne reconnaissiez l'expéditeur et que vous sachiez que le contenu est sûr.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Souji Thenria wrote:
On Fri Sep 19, 2025 at 3:53 PM CEST, BECOT Jérôme wrote:
Hello,
Is there any way to limit bind query rates or any operation rate in OpenLDAP or in conjunction of another proxy ?
I'm curious about why you need any rate limiting. What problem are you having?
Any advice appreciated Regards Jerome
Hi Jerome,
I'm not aware of any way to do that with OpenLDAP itself. However, it should be possible to use some kind of proxy or your firewall to limit the number of TCP connections per client within a specified time frame. Note, though, that this would only limit the number of bind requests, not the number of operations a client can perform once the connection is established.
Regards, Souji
- -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
You can setup lload or haproxy and point the offending apps to the new endpoints
On Wed, Sep 24, 2025, 08:37 Marc Marc@f1-outsourcing.eu wrote:
Exactly! It seems very difficult to get developers to understand even the basics...
In most cases, these problems are caused by poorly developed LDAP integrations.
openldap-technical@openldap.org
-
BECOT Jérôme -
Erik de Waard -
Howard Chu -
Marc -
Souji Thenria