[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: log_rdns.patch



Howard Chu wrote:
> A. Schulze wrote:
>> this is my third and last patch I send today :-)
>>
>> I compiled openldap with '--enable-rlookups' and set 'reverse-lookup on' in
>> slapd.conf
>> I like to see the remote hostname logged. That didn't work somehow.
>> ( I wrote this patch months ago and could not describe the real problem anymore)
>>
>>
>> Anyway: the patch modify log output:
>>
>>    reverse-lookup off:
>>      conn=4846 fd=42 ACCEPT from IP=127.0.0.1:46058 (IP=127.0.0.1:389)
>>
>>    reverse-lookup on:
>>      conn=4191 fd=18 ACCEPT from localhost (IP=127.0.0.1:389)
>>
>> I never tested with ldapi:// connections.
>> Also I expect the patch is not optimal for performance. But it works here in a
>> small environment.
> 
> Indeed, in a busy environment the DNS resolver itself is too slow for slapd.
> I've got no particular comment on this patch since I never enable reverse
> lookups. But IMO, this sort of thing is best left to a logfile postprocessor,
> because handling it directly in slapd will be too slow.

I wholeheartly agree.

Maybe this feature should be removed in 2.5 to make that really clear. Likely
this would also hunk out ACLs based on hostnames. But that's a pretty dangerous
feature anyway.

Ciao, Michael.


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature