[turba] Fwd: 500, 000 empty binds a day from horde (approximate)

Kevin Konowalec webadmin at ualberta.ca
Tue Sep 9 05:01:46 UTC 2008 

On Sep 8, 2008, at 8:34 PM, Chuck Hagenbuch wrote:

> Quoting Kevin Konowalec <webadmin at ualberta.ca>:
>
>> We've got an LDAP server configured in Turba which binds correctly  
>> and returns results just fine.  But this seems to be something  
>> else.  The various machines in our horde cluster have been beating  
>> the heck out of our LDAP servers with empty binds.  I can't seem to  
>> find any reason why it'd be doing that.  The turba configuration  
>> for legitimate connections seems to be fine (and it is, given I can  
>> do a LDAP search from Turba with no problems) but it's making all  
>> these other requests as well and I can't figure out why.
>
> What else do you have configured to use LDAP? Can you correlate any  
> user activity to the anon binds?


I took one horde front end out of the loop so I was the ONLY user on  
it.  We then filtered the LDAP logs to watch what happens.  When I  
initially log on we see a bind.  Then when I read the first message  
there's a bind (but oddly enough not every other time).  Then there  
seems to be binds when I try to compose (lots of them actually). The  
really odd thing is that we see binds even when I'm not doing  
anything.  But as soon as I take our ldap server entirely out of  
turba's servers.php file and restart then there are zero empty bind  
attempts so it's 100% a horde issue.

If i had to guess what was going on I'd say that horde was using these  
empty binds as a kind of ping to see if the server is responding and  
if it is then allowing whatever functionality.  If that's the case I  
think that's enormously excessive (one check on login should be  
sufficient)... though slapd should be able to handle it under normal  
circumstances.  Unfortunately I think there's a memory management bug  
in slapd that is being exasperated by pummeling the crap out of it.


>
>
>> On a side note... might I suggest changing imp's address completion  
>> to only kick in after 3 characters typed minimum?  There's no good  
>> reason to be hitting LDAP with queries like "a" or "sm" -  
>> especially with over 100,000 entries.  The number of results  
>> returned is so large it's not even close to useful.
>
> I'm pretty sure it was this way at one point - ticket?
>

I can add an enhancement request.  To me it just seems so much smarter  
to wait at least 3 characters before searching.  Typing a single  
character doesn't return useful results (especially when the results  
are not just those names that start with the single character... it's  
all results CONTAINING the character... so the potential return set is  
in the tens of thousands in our case).

K



> -chuck
> --
> Turba mailing list - Join the hunt: http://horde.org/bounties/#turba
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: turba-unsubscribe at lists.horde.org
>

More information about the turba mailing list