On 09.12.2014 16:25, Michael Ströder wrote:
Hmm, I will drop it since the same functionality can be easily achieved on
this platform by using local kernel firewall.
Sounds like a good idea.
I dropped it after one misbehaving firefox addressbook lookup plugin I
tried managed to open up enough connections in the same second to our
ldap server to fill the logs with:
Oct 31 11:11:33 ldapsrv slapd[6603]: warning: cannot open
/etc/hosts.allow: Too many open files
Oct 31 11:11:33 ldapsrv slapd[6603]: warning: cannot open
/etc/hosts.deny: Too many open files
Oct 31 11:11:33 ldapsrv slapd[6603]: warning: cannot open
/etc/hosts.allow: Too many open files
Oct 31 11:11:33 ldapsrv slapd[6603]: warning: cannot open
/etc/hosts.deny: Too many open files
...etc...etc...
...and preventing most of the genuine lookups and logins.
You can of course up the ulimit (default was 1024) and in slapd config
limit connections to prevent clients from being able to do this, but if
you don't need tcp wrappers anyway, ....
