bbfad17 Ticket 50378 - ACI's with IPv4 and IPv6 bind rules do not work for IPv6 clients

Authored and Committed by mreynolds 3 months ago
    Ticket 50378 - ACI's with IPv4 and IPv6 bind rules do not work for IPv6 clients
    
    Description:  When the client is a IPv6 client, any ACI's that contain bind rules
                  for IPv4 addresses essentially break that aci causing it to not be
                  fully evaluated.
    
                  For example we have an aci like this:
    
                     aci: (targetattr != "aci")(version 3.0; aci "rootdse anon read access"; allow(
                     read,search,compare) userdn="ldap:///anyone" and
                     (ip="127.0.0.1" or ip="2620:52:0:84:f816:3eff:fe4b:4f35");)
    
                  So when the client is IPv6 we start processing the IP addresses in
                  the ACI, as soon as a IPv4 address is found the ACI evaluation stops
                  and in this case the IPv6 address is never checked and access is denied.
    
                  The problem is that we set the wrong return code variable in libaccess
    
    https://pagure.io/389-ds-base/issue/50378
    
    Reviewed by: mreynolds (one line commit rule)
    
    (cherry picked from commit 41c30fd557d4cc0aaaf8a9f7767d37746f4c4bc4)
    
        
file modified
+1 -1