https://bugs.openldap.org/show_bug.cgi?id=10297
--- Comment #4 from pemensik@redhat.com --- Ah, great to have this fixed. It were causing mess at many places.
It seems it could still be made used from only special cases where ( !name_in || !strcasecmp( name_in, "localhost" ) ) condition were already checked. Only in that case it should start resolution attempt, because only only that rare case it would get used.
The current fix postpones it only when some actual TLS connection is made. But I think it should be posponed until localhost connection is made only. For well configured client it should still be avoided.
Looking at MR, os-ip.c would use it only for ::1, 127.0.0.1 or 0.0.0.0 addresses or AF_LOCAL socket. But the resolution is started even for different addresses and it could and should be avoided IMO. Resolution could be moved in all cases just right before strdup:
if ( !ldap_int_hostname ) ldap_int_resolve_hostname(); return LDAP_STRDUP( ldap_int_hostname );
Similarly with localhost or unset name in tls. I think something like this should be used instead in tls variants:
const char * ldap_int_hostname_not_localhost(const char *name_in) { if ( !name_in || !strcasecmp( name_in, "localhost" ) ) { if ( !ldap_int_hostname ) ldap_int_resolve_hostname(); if (ldap_int_hostname) { return ldap_int_hostname; } else { return name_in; } } else { return name_in; } }
// would become shared and lazy initialized name = ldap_int_hostname_not_localhost(name_in);
Ideally sharing common function instead of repeating this logic 3 times.
Maybe ldap_int_resolve_hostname should just return resolved name, whatever it is. The reading of ldap_int_hostname might be protected by the mutex as well, not just its modification. static resolved already checks whether it were already tried.
This would ensure when correct FQDN is configured, then no another resolution would be made.