Hi Henrik,
Many thanks for Your advice,
- Yes, we started using mdb-backend and did not use it before. - LDAP tree is not very large, a slapcat dump has about 1.050 Million lines and less than 50'000 dn entries. - LDAP tree contains attributes 21661 of type aliasedObjectName - Yes, alias-dereferencing is used and set to always. Clients should not, but may do searches using "sub" instead of "one" .
I will check whether using hdb will mitigate the problem.
Jürgen
-----Original Message----- From: Henrik Bohnenkamp [mailto:hbohnenkamp@united-internet.de] Sent: Mittwoch, 30. Januar 2019 12:23 To: Sprenger Jürgen, INI-ONE-CIS-SDI-HES Juergen.Sprenger@swisscom.com Subject: Re: OpenLDAP 2.4.45 possible denial of service vulnerability?
On Wed, Jan 30, 2019 at 10:17:47AM +0000, Juergen.Sprenger@swisscom.com wrote:
Hi Jürgen,
if you can answer all of the following questions with "yes", you might have the problem described in ITS#8875/ITS#7657 (http://www.openldap.org/its/index.cgi/Incoming?id=8875;selectid=8875):
- with the upgrade to 2.4.45, you started to use the mdb-backend, and did not use it before - your LDAP tree is large (> 1 Million entries) - the LDAP tree contains many alias objects (> 64k ) - the clients causing the trouble make searches with scope "sub", and alias-dereferencing set to "always"
That's essential the 4 conditions that lead to a problem at my organisation similar to the one you described. Workaround was to go back to the hdb backend.
Henrik
-- Henrik Bohnenkamp
openldap-technical@openldap.org