Howard Chu wrote:
Michael Ströder wrote:
I'm currently trying to upgrade an OpenLDAP package for a openSUSE distribution.
The original package links slapd with libwrap which made sense in former times on systems without local host firewall mechanisms. If libwrap does not have a major performance impact I'd keep it that way just for sake of backward compability.
But AFAICT if slapd is linked with libwrap the TCP wrapper is always asked whether a connection is allowed or not. One cannot disable it by slapd configuration.
So the question is: How big is the performance impact?
How much does it matter?
That's what I'm trying to find out. ;-)
libwrap has to fopen two files (/etc/hosts.allow and hosts.deny) and read their rules, every time a connection is received. That's pretty significant overhead, but if you're not receiving thousands of connections per second, it probably doesn't matter.
Hmm, I will drop it since the same functionality can be easily achieved on this platform by using local kernel firewall.
BTW: I'm using this package also on rasperry pi. So calling fopen() twice seems significant to me.
Ciao, Michael.