[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Looking for proven version



Beast wrote:

1. Avoid binding whenever possible. In /etc/ldap.conf i've to bind
with proxy-user for some reason and it make slapd crazy.

Just don't try it if you have LDAP user-based graphical logins. Unless you want to wonder at why GDM won't start up any more ...


2. Remove all ACL, but secure your ldap using iptables.

Tell that to Ace Suares ;) It's a gonner as far as I'm concerned, though maybe it works for you. I need my ACLs.


3. Whenever possible, configure your apps to query ldap directly, not
trhough PAM.

Absolutely.

> user ip address instead of fqdn

Lousy resolver, badly configured caching DNS (you do use host-based caching DNS, don't you?) Or faulty /etc/resolv.conf.

and no tls/ssl.default to use bind_v3 if possible.

Bad security. Unless you're only using a contact database without passwords, etc. Any user-based (containing passwords) DSE info can and will be sniffed. I've done it myself.


4. Use unix socket for local query if possible (though i'm not very
sure about how stable it is, but reduce the number of tcp CLOSE_WAIT
state).

Absolutely. But the advice was to run LDAP on a second machine.

5. Simplified query in each application and index all necessary
attribute.

Definitely.

avoid unnecessary queries to ldap (such as system user that
are already in passwd).

They shouldn't be queried, though? Who would query them?

6. Compile OL without enabling tcpwrappers (because it will look for
/etc/hosts.deny/allow for every request, cmiiw). I've got "too many
open file error" before.

Absolutely. No point in using both tcpwrappers and IPTABLES at the same time.


7. use nscd -- actualy in my case the nscd did not help, it still
queries ldap even i already query same id many times. i don't use it
but ymmv.

ncsd ruins my Openldap - even the latest update. I can't use it.

--Tonni

--
Tony Earnshaw

Once the camel's head has entered your tent,
it's very difficult to stop the rest of the
animal from following it

http://www.billy.demon.nl
Mail: tonye-at-billy.demon.nl