On 09.12.2014 16:25, Michael Ströder wrote:
Hmm, I will drop it since the same functionality can be easily achieved on this platform by using local kernel firewall.
Sounds like a good idea.
I dropped it after one misbehaving firefox addressbook lookup plugin I tried managed to open up enough connections in the same second to our ldap server to fill the logs with:
Oct 31 11:11:33 ldapsrv slapd[6603]: warning: cannot open /etc/hosts.allow: Too many open files Oct 31 11:11:33 ldapsrv slapd[6603]: warning: cannot open /etc/hosts.deny: Too many open files Oct 31 11:11:33 ldapsrv slapd[6603]: warning: cannot open /etc/hosts.allow: Too many open files Oct 31 11:11:33 ldapsrv slapd[6603]: warning: cannot open /etc/hosts.deny: Too many open files ...etc...etc...
...and preventing most of the genuine lookups and logins.
You can of course up the ulimit (default was 1024) and in slapd config limit connections to prevent clients from being able to do this, but if you don't need tcp wrappers anyway, ....