From: Kurt Zeilenga Date: Sat, 8 Feb 2003 07:40:19 +0000 (+0000) Subject: Disable reverse lookups by default for security X-Git-Tag: NO_SLAP_OP_BLOCKS~403 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=698d73d5f38515fa326ebb86839bbeb64413fd12;p=openldap Disable reverse lookups by default for security (and performance) reasons. --- diff --git a/doc/man/man5/slapd.access.5 b/doc/man/man5/slapd.access.5 index fc495b0d0f..b23acb64c7 100644 --- a/doc/man/man5/slapd.access.5 +++ b/doc/man/man5/slapd.access.5 @@ -266,6 +266,12 @@ pattern, or its trailing part, after a exactly matches the .BR domain pattern. +The +.B domain +of the contacting host is determined by performing a DNS reverse lookup. +As this lookup can easily be spoofed, use of the +.B domain +statement is strongly discouraged. By default, reverse lookups are disabled. .LP The statement .B set= diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index 140bf45d59..9c398f986c 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -557,8 +557,8 @@ may be used to require no conditions (useful for clearly globally set conditions within a particular database). .TP .B reverse-lookup on | off -Enable/disable client name reverse lookup (default is -.BR on +Enable/disable client name unverified reverse lookup (default is +.BR off if compiled with --enable-rlookups). .TP .B rootDSE diff --git a/servers/slapd/config.c b/servers/slapd/config.c index 052cf3e896..42956da98b 100644 --- a/servers/slapd/config.c +++ b/servers/slapd/config.c @@ -66,11 +66,7 @@ char *slapd_args_file = NULL; char *strtok_quote_ptr; -#ifdef SLAPD_RLOOKUPS -int use_reverse_lookup = 1; -#else /* !SLAPD_RLOOKUPS */ int use_reverse_lookup = 0; -#endif /* !SLAPD_RLOOKUPS */ static char *fp_getline(FILE *fp, int *lineno); static void fp_getline_init(int *lineno);