Specifications
Chapter 9 Maintaining Open Directory Services 189
Limiting Search Results for LDAP Service
Using Server Admin, you can prevent one type of denial-of-service attack on Mac OS X
Server by limiting the number of search results returned by the server’s shared LDAP
directory domain. Limiting the number of search results prevents a malicious user
from tying up the server by sending it multiple all-inclusive LDAP search requests.
To limit LDAP search results:
1 Open Server Admin and connect to the Open Directory master or an Open Directory
replica server.
2 Click the triangle at the left of the server.
The list of services appears.
3 From the expanded Servers list, select Open Directory.
4 Click Settings, then click LDAP.
5 Enter the maximum number of returned search results in the “Return a maximum of __
search results” eld.
6 Click Save.
Setting the Search Timeout Interval for LDAP Service
Using Server Admin, you can prevent one type of denial-of-service attack on Mac OS X
Server by limiting the amount of time the server spends on one search of its shared
LDAP directory domain.
Setting a search timeout prevents a malicious user from tying up the server by
sending it an exceptionally complex LDAP search request.
To set a search timeout interval for LDAP service:
1 Open Server Admin and connect to the Open Directory master or an Open Directory
replica server.
2 Click the triangle at the left of the server.
The list of services appears.
3 From the expanded Servers list, select Open Directory.
4 Click Settings, then click LDAP.
5 Enter a search timeout interval in the “Search times out in __” eld.
Set the time interval using the pop-up menu.
6 Click Save.