[Pkg-openldap-devel] Bug#854436: Bug#854436: openldap: please don't use tcp-wrappers with slapd

[Steve Langasek]

On Tue, Feb 07, 2017 at 09:28:18AM +0100, Arturo Borrero Gonzalez wrote:
> Source: openldap
> Severity: important

> Dear openldap maintainers and contributors, thanks for your work with this
> package.

> Please, don't use tcp-wrappers with slapd.

> It has been already known for a while that this technology is obsolete [0],
> and may cause a false sense of security which is even worse.

> [0] https://lists.ubuntu.com/archives/ubuntu-users/2014-June/276215.html

That is an opinion on a mailing list, not something which is "known".  Many
consider it part of a valid defense-in-depth strategy for their systems.

> In some environments, this may cause other issues, for example:

> slapd[7408]: warning: cannot open /etc/hosts.allow: Too many open files
> slapd[7408]: warning: cannot open /etc/hosts.deny: Too many open files
> slapd[7408]: warning: cannot open /etc/hosts.allow: Too many open files
> slapd[7408]: warning: cannot open /etc/hosts.deny: Too many open files
> slapd[7408]: warning: cannot open /etc/hosts.allow: Too many open files
> slapd[7408]: warning: cannot open /etc/hosts.deny: Too many open files

If people are hitting open file limits trying to open two extra files,
disabling features in the codebase is not the correct solution.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20170207/05c7475c/attachment.sig>