Happy Friday! > > Does slapd need ALL or something like that? > > > Nothing relating to the ldap server. > Is that not rather the point? If you restrict it's availability to the > local machine you can't see it from outside? The older Bristol service nodes (as inherited from Yves Coppens who built them) all have slapd: 127.0.0.1 in /etc/hosts.allow, including lcgce01 which used to be lcg-CE + site-bdii but is now only site-bdii. And they're all visible from outside. But SL5 is a different animal apparently. selinux Enforcing won't allow bdii to start (at least bdii 3.2.4 & 5), but can be setenforce 1 once it's started. And yes it was that slapd line in hosts.allow that apparently makes no diff on SL4 but is obeyed in SL5, so change it to slapd: ALL & it seems fine. Thanks all v much for help+advice.