Hi Henrik,
Many thanks for Your advice,
- Yes, we started using mdb-backend and did not use it before.
- LDAP tree is not very large, a slapcat dump has about 1.050 Million lines and less than
50'000 dn entries.
- LDAP tree contains attributes 21661 of type aliasedObjectName
- Yes, alias-dereferencing is used and set to always. Clients should not, but may do
searches using "sub" instead of "one" .
I will check whether using hdb will mitigate the problem.
Jürgen
-----Original Message-----
From: Henrik Bohnenkamp [mailto:hbohnenkamp@united-internet.de]
Sent: Mittwoch, 30. Januar 2019 12:23
To: Sprenger Jürgen, INI-ONE-CIS-SDI-HES <Juergen.Sprenger(a)swisscom.com>
Subject: Re: OpenLDAP 2.4.45 possible denial of service vulnerability?
On Wed, Jan 30, 2019 at 10:17:47AM +0000, Juergen.Sprenger(a)swisscom.com wrote:
Hi Jürgen,
if you can answer all of the following questions with "yes", you might have the
problem described in ITS#8875/ITS#7657
(
http://www.openldap.org/its/index.cgi/Incoming?id=8875;selectid=8875):
- with the upgrade to 2.4.45, you started to use the mdb-backend, and
did not use it before
- your LDAP tree is large (> 1 Million entries)
- the LDAP tree contains many alias objects (> 64k )
- the clients causing the trouble make searches with scope "sub", and
alias-dereferencing
set to "always"
That's essential the 4 conditions that lead to a problem at my organisation similar to
the one you described. Workaround was to go back to the hdb backend.
Henrik
--
Henrik Bohnenkamp