Disable reverse lookups by default for security

(and performance) reasons.

diff --git a/doc/man/man5/slapd.access.5 b/doc/man/man5/slapd.access.5
index fc495b0d0fd2efde2ed86192a44c59c3a2ac527f..b23acb64c728b811b1c979aa213c17a20b2c92af 100644 (file)
--- a/doc/man/man5/slapd.access.5
+++ b/doc/man/man5/slapd.access.5
@@ -266,6 +266,12 @@ pattern, or its trailing part, after a
 exactly matches the 
 .BR domain
 pattern.
+The
+.B domain
+of the contacting host is determined by performing a DNS reverse lookup.
+As this lookup can easily be spoofed, use of the
+.B domain
+statement is strongly discouraged.  By default, reverse lookups are disabled.
 .LP
 The statement
 .B set=<pattern>

diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index 140bf45d59fd65f01e4e04f844eb80d2eb340527..9c398f986c13d3ddfd34a8ec92493ce77cf0ca7e 100644 (file)
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -557,8 +557,8 @@ may be used to require no conditions (useful for clearly globally
 set conditions within a particular database).
 .TP
 .B reverse-lookup on | off
-Enable/disable client name reverse lookup (default is 
-.BR on 
+Enable/disable client name unverified reverse lookup (default is 
+.BR off 
 if compiled with --enable-rlookups).
 .TP
 .B rootDSE <file>

diff --git a/servers/slapd/config.c b/servers/slapd/config.c
index 052cf3e8967ac26d3d3b50940bed4bb95d565d1d..42956da98b001acb47e4ab80d44cb54427b2eb93 100644 (file)
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@@ -66,11 +66,7 @@ char   *slapd_args_file = NULL;
 
 char   *strtok_quote_ptr;
 
-#ifdef SLAPD_RLOOKUPS
-int use_reverse_lookup = 1;
-#else /* !SLAPD_RLOOKUPS */
 int use_reverse_lookup = 0;
-#endif /* !SLAPD_RLOOKUPS */
 
 static char    *fp_getline(FILE *fp, int *lineno);
 static void    fp_getline_init(int *lineno);