Howard Chu wrote:
A. Schulze wrote:
this is my third and last patch I send today :-)
I compiled openldap with '--enable-rlookups' and set 'reverse-lookup on' in slapd.conf I like to see the remote hostname logged. That didn't work somehow. ( I wrote this patch months ago and could not describe the real problem anymore)
Anyway: the patch modify log output:
reverse-lookup off: conn=4846 fd=42 ACCEPT from IP=127.0.0.1:46058 (IP=127.0.0.1:389)
reverse-lookup on: conn=4191 fd=18 ACCEPT from localhost (IP=127.0.0.1:389)
I never tested with ldapi:// connections. Also I expect the patch is not optimal for performance. But it works here in a small environment.
Indeed, in a busy environment the DNS resolver itself is too slow for slapd. I've got no particular comment on this patch since I never enable reverse lookups. But IMO, this sort of thing is best left to a logfile postprocessor, because handling it directly in slapd will be too slow.
I wholeheartly agree.
Maybe this feature should be removed in 2.5 to make that really clear. Likely this would also hunk out ACLs based on hostnames. But that's a pretty dangerous feature anyway.
Ciao, Michael.