[Date Prev][Date Next]
Re: Looking for proven version
1. Avoid binding whenever possible. In /etc/ldap.conf i've to bind
with proxy-user for some reason and it make slapd crazy.
Just don't try it if you have LDAP user-based graphical logins. Unless
you want to wonder at why GDM won't start up any more ...
2. Remove all ACL, but secure your ldap using iptables.
Tell that to Ace Suares ;) It's a gonner as far as I'm concerned, though
maybe it works for you. I need my ACLs.
3. Whenever possible, configure your apps to query ldap directly, not
> user ip address instead of fqdn
Lousy resolver, badly configured caching DNS (you do use host-based
caching DNS, don't you?) Or faulty /etc/resolv.conf.
and no tls/ssl.default to use bind_v3 if possible.
Bad security. Unless you're only using a contact database without
passwords, etc. Any user-based (containing passwords) DSE info can and
will be sniffed. I've done it myself.
4. Use unix socket for local query if possible (though i'm not very
sure about how stable it is, but reduce the number of tcp CLOSE_WAIT
Absolutely. But the advice was to run LDAP on a second machine.
5. Simplified query in each application and index all necessary
avoid unnecessary queries to ldap (such as system user that
are already in passwd).
They shouldn't be queried, though? Who would query them?
6. Compile OL without enabling tcpwrappers (because it will look for
/etc/hosts.deny/allow for every request, cmiiw). I've got "too many
open file error" before.
Absolutely. No point in using both tcpwrappers and IPTABLES at the same
7. use nscd -- actualy in my case the nscd did not help, it still
queries ldap even i already query same id many times. i don't use it
ncsd ruins my Openldap - even the latest update. I can't use it.
Once the camel's head has entered your tent,
it's very difficult to stop the rest of the
animal from following it