From 698d73d5f38515fa326ebb86839bbeb64413fd12 Mon Sep 17 00:00:00 2001
From: Kurt Zeilenga <kurt@openldap.org>
Date: Sat, 8 Feb 2003 07:40:19 +0000
Subject: [PATCH] Disable reverse lookups by default for security (and
 performance) reasons.

---
 doc/man/man5/slapd.access.5 | 6 ++++++
 doc/man/man5/slapd.conf.5   | 4 ++--
 servers/slapd/config.c      | 4 ----
 3 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/doc/man/man5/slapd.access.5 b/doc/man/man5/slapd.access.5
index fc495b0d0f..b23acb64c7 100644
--- a/doc/man/man5/slapd.access.5
+++ b/doc/man/man5/slapd.access.5
@@ -266,6 +266,12 @@ pattern, or its trailing part, after a
 exactly matches the 
 .BR domain
 pattern.
+The
+.B domain
+of the contacting host is determined by performing a DNS reverse lookup.
+As this lookup can easily be spoofed, use of the
+.B domain
+statement is strongly discouraged.  By default, reverse lookups are disabled.
 .LP
 The statement
 .B set=<pattern>
diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index 140bf45d59..9c398f986c 100644
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -557,8 +557,8 @@ may be used to require no conditions (useful for clearly globally
 set conditions within a particular database).
 .TP
 .B reverse-lookup on | off
-Enable/disable client name reverse lookup (default is 
-.BR on 
+Enable/disable client name unverified reverse lookup (default is 
+.BR off 
 if compiled with --enable-rlookups).
 .TP
 .B rootDSE <file>
diff --git a/servers/slapd/config.c b/servers/slapd/config.c
index 052cf3e896..42956da98b 100644
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@@ -66,11 +66,7 @@ char   *slapd_args_file = NULL;
 
 char   *strtok_quote_ptr;
 
-#ifdef SLAPD_RLOOKUPS
-int use_reverse_lookup = 1;
-#else /* !SLAPD_RLOOKUPS */
 int use_reverse_lookup = 0;
-#endif /* !SLAPD_RLOOKUPS */
 
 static char	*fp_getline(FILE *fp, int *lineno);
 static void	fp_getline_init(int *lineno);
-- 
2.39.5