Hi Henrik, Many thanks for Your advice,
- Yes, we started using mdb-backend and did not use it before. - LDAP tree is not very large, a slapcat dump has about 1.050 Million lines and less than 50'000 dn entries. - LDAP tree contains attributes 21661 of type aliasedObjectName - Yes, alias-dereferencing is used and set to always. Clients should not, but may do searches using "sub" instead of "one" . I will check whether using hdb will mitigate the problem. Jürgen -----Original Message----- From: Henrik Bohnenkamp [mailto:[email protected]] Sent: Mittwoch, 30. Januar 2019 12:23 To: Sprenger Jürgen, INI-ONE-CIS-SDI-HES <[email protected]> Subject: Re: OpenLDAP 2.4.45 possible denial of service vulnerability? On Wed, Jan 30, 2019 at 10:17:47AM +0000, [email protected] wrote: Hi Jürgen, if you can answer all of the following questions with "yes", you might have the problem described in ITS#8875/ITS#7657 (http://www.openldap.org/its/index.cgi/Incoming?id=8875;selectid=8875): - with the upgrade to 2.4.45, you started to use the mdb-backend, and did not use it before - your LDAP tree is large (> 1 Million entries) - the LDAP tree contains many alias objects (> 64k ) - the clients causing the trouble make searches with scope "sub", and alias-dereferencing set to "always" That's essential the 4 conditions that lead to a problem at my organisation similar to the one you described. Workaround was to go back to the hdb backend. Henrik -- Henrik Bohnenkamp
