Wednesday, May 15, 2019

[389-commits] [389-ds-base] branch master updated: Ticket 50378 - ACI's with IPv4 and IPv6 bind rules do not work for IPv6 clients

This is an automated email from the git hooks/post-receive script.

mreynolds pushed a commit to branch master
in repository 389-ds-base.

The following commit(s) were added to refs/heads/master by this push:
new 41c30fd Ticket 50378 - ACI's with IPv4 and IPv6 bind rules do not work for IPv6 clients
41c30fd is described below

commit 41c30fd557d4cc0aaaf8a9f7767d37746f4c4bc4
Author: Mark Reynolds <mreynolds@redhat.com>
AuthorDate: Wed May 15 16:04:55 2019 -0400

Ticket 50378 - ACI's with IPv4 and IPv6 bind rules do not work for IPv6 clients

Description: When the client is a IPv6 client, any ACI's that contain bind rules
for IPv4 addresses essentially break that aci causing it to not be
fully evaluated.

For example we have an aci like this:

aci: (targetattr != "aci")(version 3.0; aci "rootdse anon read access"; allow(
read,search,compare) userdn="ldap:///anyone" and
(ip="127.0.0.1" or ip="2620:52:0:84:f816:3eff:fe4b:4f35");)

So when the client is IPv6 we start processing the IP addresses in
the ACI, as soon as a IPv4 address is found the ACI evaluation stops
and in this case the IPv6 address is never checked and access is denied.

The problem is that we set the wrong return code variable in libaccess

https://pagure.io/389-ds-base/issue/50378

Reviewed by: mreynolds (one line commit rule)
---
lib/libaccess/lasip.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/libaccess/lasip.cpp b/lib/libaccess/lasip.cpp
index eea7aff..30c546d 100644
--- a/lib/libaccess/lasip.cpp
+++ b/lib/libaccess/lasip.cpp
@@ -598,7 +598,7 @@ int LASIpEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator,

node = context->treetop_ipv6;
if ( node == NULL ) {
- retcode = (comparator == CMP_OP_EQ ? LAS_EVAL_FALSE : LAS_EVAL_TRUE);
+ rc = (comparator == CMP_OP_EQ ? LAS_EVAL_FALSE : LAS_EVAL_TRUE);
} else {
addr = PR_ntohs( ipv6->_S6_un._S6_u16[field]);
for (bit = 127; bit >= 0 ; bit--, bit_position--) {

--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
_______________________________________________
389-commits mailing list -- 389-commits@lists.fedoraproject.org
To unsubscribe send an email to 389-commits-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-commits@lists.fedoraproject.org
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)