Disable reverse lookups by default for security

(and performance) reasons.

doc/man/man5/slapd.access.5

@@ -266,6 +266,12 @@ pattern, or its trailing part, after a
 exactly matches the 
 .BR domain
 pattern.
+The
+.B domain
+of the contacting host is determined by performing a DNS reverse lookup.
+As this lookup can easily be spoofed, use of the
+.B domain
+statement is strongly discouraged.  By default, reverse lookups are disabled.
 .LP
 The statement
 .B set=<pattern>

doc/man/man5/slapd.conf.5

@@ -557,8 +557,8 @@ may be used to require no conditions (useful for clearly globally
 set conditions within a particular database).
 .TP
 .B reverse-lookup on | off
-Enable/disable client name reverse lookup (default is 
-.BR on 
+Enable/disable client name unverified reverse lookup (default is 
+.BR off 
 if compiled with --enable-rlookups).
 .TP
 .B rootDSE <file>

servers/slapd/config.c

@@ -66,11 +66,7 @@ char   *slapd_args_file = NULL;
 
 char   *strtok_quote_ptr;
 
-#ifdef SLAPD_RLOOKUPS
-int use_reverse_lookup = 1;
-#else /* !SLAPD_RLOOKUPS */
 int use_reverse_lookup = 0;
-#endif /* !SLAPD_RLOOKUPS */
 
 static char	*fp_getline(FILE *fp, int *lineno);
 static void	fp_getline_init(int *lineno);