Aaron Richton wrote: > On Tue, 9 Dec 2014, Terje Trane wrote: > >> Oct 31 11:11:33 ldapsrv slapd[6603]: warning: cannot open /etc/hosts.deny: >> Too many open files >> ...etc...etc... >> >> ...and preventing most of the genuine lookups and logins. >> >> You can of course up the ulimit (default was 1024) and in slapd config limit >> connections to prevent clients from being able to do this, but if you don't >> need tcp wrappers anyway, .... > > While I don't disagree with this in principle, I want to write for the > archives. IMO people searching for "slapd /etc/hosts.deny: Too many open > files" really shouldn't get "go recompile --disable" as a result: > > A ulimit that low, nowadays, is really just to rapidly stop typos and other > foolishly runaway processes. For a process such as a server running on > (even-not-so-)modern hardware, when you're expecting large amounts of > connections -- and keeping in mind that each connection takes a file > descriptor -- that limit should be significantly higher. > > Basically, blaming the final straw isn't the right move. Given the choice > between repackaging a piece of software with fewer features, or reconfiguring > an unrealistic default to an appropriate value for your environment, I'd think > the config file is the way to go...regardless of libwrap or any other part of > the stack. But it makes a huge difference if you have two or three file handles per connection or just one. And on Linux and some other platforms normally nobody uses TCP wrapper anymore. You can achieve the same and do better with iptables or whatever local FW is available. As usual: Your mileage may vary. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature