--On Thursday, September 28, 2006 11:49 AM -0700 Chris Adams
<[EMAIL PROTECTED]> wrote:
Rebuilding slapd after making the following addition to
debian/rulessuccessfully raises the limit:
CFLAGS = -Wall -g -D_FILE_OFFSET_BITS=64 -DOPENLDAP_FD_SETSIZE=8192
DFD_SETSIZE=8192
At this point the DoS script no longer works - suggesting that thisshould
become part of the default build since the failure mode issevere with
e.g. pam-ldap.
Hi Chris,
I found that it was unnecessary to build OpenLDAP with the
OPENLDAP_FD_SETSIZE parameter set at all to get around this issue. In my
slapd startup script, I have:
# Bump up file descriptors to 4096
ulimit -n 4096
which is all that is necessary to allow slapd to use more file descriptors.
With this in place:
Sep 28 13:07:31 ldap-test2 slapd[3473]: fd=4095 DENIED from 171.64.11.148
(171.64.11.148)
Sep 28 13:07:31 ldap-test2 slapd[3473]: warning: cannot open
/etc/hosts.allow: Too many open files
is where it fails.
If I change the ulimit to 1024, then it fails at:
Sep 28 13:09:59 ldap-test2 slapd[29388]: warning: cannot open
/etc/hosts.allow: Too many open files
Sep 28 13:09:59 ldap-test2 slapd[29388]: error: bad option name:
"171.64.11.148"
Sep 28 13:09:59 ldap-test2 slapd[29388]: fd=1023 DENIED from 171.64.11.148
(171.64.11.148)
So basically, this is something that can easily be overcome by the user if
they need to, and doesn't require any particular compile options on the
servers side. I don't really see this as any sort of DoS issue, but a user
configuration issue. But that's my 2c.
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
