[Date Prev][Date Next]
Re: Netscape proxy in firewall flooding slapd
We had a similar problem. We were having over 30,000 transactions taking place between the proxy and the LDAP server every hour. In our case we had run up against a limit in the number of open socket connections between two machines. What we did to remedy the situation was setup the config with our NS Proxy 3.52 to enable LDAP Caching. We set the cache table size to 2 meg and the proxy auth cache expiration to 15 min. After setting this config, our number of transactions have gone down to around 200 per hour. Good luck.
Gerhard Duile wrote:
> we are using OpenLDAP 1.2.2, among other things to authentificate users to cross the firewall (with Netscape proxy) to get internet html web pages. Of our 40.000 users, about 750 are allowed access internet (www) over a firewall. Authentication of these 750 is by access to LDAP server, groupofuniquenames=internet_pilots.
> Everything workes fine, but there is one problem: As our CERT (and proxy operators) tell me, their proxy fires one authentification ldap-search not only for every http page any user wishes to see outside our intranet, but also for EVERY image, sound file or whatever this html page itself wishes to load. That means, for one html page our directory server has to answer up to 25 or more authentification jobs, which seems to be quite too much for him. CERT guys tell me Netscape says that there was no way telling Netscape proxy only to authentificate against the html page itself.
> Now, here´s my question: does anybody know if they are right? Is there really no way to configure Netscape Proxy Server to only authentificate for html pages, not images (gif, jpg), sound or movie, or java applets, or, or, or, or...?
> I´m using OpenLDAP 1.2.2 directory server on SuSE Linux, Pentium II 266 MHz.
> Greatful for any hint.
> Gerhard Duile
"I speak for myself,
not Longs Drug Stores"