Moving this to the 1.3.0.a1 milestone. It would be nice to add support for IPv6 addresses in ACI's at the same time since we'll be in the same area of code.

set default ticket origin to Community

Added initial screened field value.

Bug description: DNS keyword in ACI only accepted an FQDN returned
from gethostbyaddr. If an alias hostname was set in an ACI, a request
sent from the host was treated as the one from the primary hostname
and it failed to get the expected access rights.

Fix description: This patch is turning a keyword "dnsalias" public.
In addition to the primary hostname, by setting the secondary host-
names as dnsalias, clients requests would obtain the expected access
rights. When an IP address is associated with multiple hostnames
(primary: hostA, aliases: hostB and hostC), they could be listed, for
instance, in an aci as follows:
{{{
aci: (targetattr = "*") (version 3.0;acl "dnsalias example";allow (all)
dns="hostA.example.com" or dnsalias="hostB.example.com" or dnslias=
"hostC.example.com";)
}}}

git patch file (master)
0001-Trac-Ticket-311-IP-lookup-failing-with-multiple-DNS-.patch

Do we really need a new aci keyword? Can't we just use the existing "dns" to mean "dns fqdn and any aliases"?

Thanks for your comments, Rich and Ludwig!

Actually, dnsalias is not a new keyword. It's been implemented in lib/libaccess/lasdns.cpp for a long time. I'm just proposing to use it (and replacing the obsolete NSPR API (PR_GetHostByAddr) with the new one (PR_GetAddrInfoByName).

The difference between "dns" and "dnsalias" is if the FQDN specified as dns is not found in the DNS hashtable, it fails there. If it is dnsalias, it's converted to IP address then converted back to the primary FQDN, then look up in the hash table. The process could be slow if just to find out it's not in the hash table...

By setting 1 to aliasflg for "dns", it enables the dns hostname fallback to the alias hostname.
{{{
- if (strcmp(attr_name, "dns") == 0)
- aliasflg = 0;
- else if (strcmp(attr_name, "dnsalias") == 0)
- aliasflg = 1;
- else {
- nserrGenerate(errp, ACLERRINVAL, ACLERR4800, ACL_Program, 2, XP_GetAdmin
- return LAS_EVAL_INVALID;
+ if (strcmp(attr_name, "dns") == 0) {
+ / Enable aliasflg for "dns", which allows "dns" hostname to look up
+ * DSN hash table using the primary hostname. /
+ aliasflg = 1;
+ } else if (strcmp(attr_name, "dnsalias") == 0) {
+ aliasflg = 1;
+ } else {
+ nserrGenerate(errp, ACLERRINVAL, ACLERR4800, ACL_Program, 2, XP_GetAdmi
+ return LAS_EVAL_INVALID;
}
}}}
I'm adding a new patch next...

git patch file (master) - take 2
0001-Trac-Ticket-311-IP-lookup-failing-with-multiple-DNS.patch

Reviewed by Rich (Thank you!!)

Pushed to master.

commit 8a9684f

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=918697

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/311

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.