Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1564171
Description of problem: using this aci under null based dn, for instance: aci: (targetattr != "aci")(version 3.0; aci "rootdse anon read access"; allow( read,search,compare) (userdn="ldap:///anyone") and (ip="2620:52:0:ab0:1a:4aff :fe0a:b201");) And I do a search: ip a inet6 2620:52:0:ab0:1a:4aff:fe0a:b201/64 scope global noprefixroute dynamic ldapsearch -xLLL -h 2620:52:0:ab0:21a:4aff:feeb:8b33 -p 389 -b "" -s base dn: objectClass: top namingContexts: cn=changelog namingContexts: dc=cgparente,dc=local namingContexts: o=ipaca defaultnamingcontext: dc=cgparente,dc=local supportedExtension: 2.16.840.1.113730.3.5.7 supportedExtension: 2.16.840.1.113730.3.5.8 supportedExtension: 2.16.840.1.113730.3.5.10 supportedExtension: 2.16.840.1.113730.3.8.10.3 supportedExtension: 2.16.840.1.113730.3.8.10.4 supportedExtension: 2.16.840.1.113730.3.8.10.4.1 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedExtension: 2.16.840.1.113730.3.8.10.1 supportedExtension: 2.16.840.1.113730.3.8.10.5 supportedExtension: 2.16.840.1.113730.3.5.3 supportedExtension: 2.16.840.1.113730.3.5.12 supportedExtension: 2.16.840.1.113730.3.5.5 supportedExtension: 2.16.840.1.113730.3.5.6 supportedExtension: 2.16.840.1.113730.3.5.9 supportedExtension: 2.16.840.1.113730.3.5.4 supportedExtension: 2.16.840.1.113730.3.6.5 supportedExtension: 2.16.840.1.113730.3.6.6 supportedExtension: 2.16.840.1.113730.3.6.7 supportedExtension: 2.16.840.1.113730.3.6.8 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 supportedExtension: 1.3.6.1.4.1.1466.20037 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 2.16.840.1.113730.3.4.3 supportedControl: 2.16.840.1.113730.3.4.4 supportedControl: 2.16.840.1.113730.3.4.5 supportedControl: 1.2.840.113556.1.4.473 supportedControl: 2.16.840.1.113730.3.4.9 supportedControl: 2.16.840.1.113730.3.4.16 supportedControl: 2.16.840.1.113730.3.4.15 supportedControl: 2.16.840.1.113730.3.4.17 supportedControl: 2.16.840.1.113730.3.4.19 supportedControl: 1.3.6.1.1.13.1 supportedControl: 1.3.6.1.1.13.2 supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8 supportedControl: 1.3.6.1.4.1.4203.666.5.16 supportedControl: 2.16.840.1.113730.3.8.10.6 supportedControl: 2.16.840.1.113730.3.8.10.7 supportedControl: 2.16.840.1.113730.3.4.14 supportedControl: 2.16.840.1.113730.3.4.20 supportedControl: 1.3.6.1.4.1.1466.29539.12 supportedControl: 2.16.840.1.113730.3.4.12 supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.13 supportedControl: 1.3.6.1.4.1.4203.1.9.1.1 supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: LOGIN supportedSASLMechanisms: PLAIN supportedSASLMechanisms: ANONYMOUS supportedLDAPVersion: 2 supportedLDAPVersion: 3 vendorName: 389 Project vendorVersion: 389-Directory/1.3.6.1 B2017.314.143 dataversion: 020180405142105020180405142105020180405142105 netscapemdsuffix: cn=ldap://dc=trustreplica,dc=cgparente,dc=local:389 lastusn: 42884 changeLog: cn=changelog firstchangenumber: 344 lastchangenumber: 363 ipatopologypluginversion: 1.0 ipatopologyismanaged: off ipaDomainLevel: 0 access logs: [05/Apr/2018:10:22:06.968152786 -0400] conn=7 fd=66 slot=66 connection from 2620:52:0:ab0:1a:4aff:fe0a:b201 to 2620:52:0:ab0:21a:4aff:feeb:8b33 [05/Apr/2018:10:22:06.969131282 -0400] conn=7 op=0 BIND dn="" method=128 version=3 [05/Apr/2018:10:22:06.969400670 -0400] conn=7 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [05/Apr/2018:10:22:06.969914981 -0400] conn=7 op=1 SRCH base="" scope=0 filter="(objectClass=*)" attrs=ALL [05/Apr/2018:10:22:07.579211022 -0400] conn=7 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [05/Apr/2018:10:22:07.579935523 -0400] conn=7 op=2 UNBIND [05/Apr/2018:10:22:07.579969091 -0400] conn=7 op=2 fd=66 closed - U1 errors logs: [05/Apr/2018:10:22:06.995543617 -0400] - DEBUG - NSACLPlugin - ***BEGIN ACL INFO[ Name: "rootdse anon read access"]*** [05/Apr/2018:10:22:06.997250733 -0400] - DEBUG - NSACLPlugin - ACL Index:1 ACL_ELEVEL:0 [05/Apr/2018:10:22:06.999011276 -0400] - DEBUG - NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule ) [05/Apr/2018:10:22:07.001440535 -0400] - DEBUG - NSACLPlugin - ACI RULE type:(userdn ip ) [05/Apr/2018:10:22:07.003207665 -0400] - DEBUG - NSACLPlugin - Slapi_Entry DN: [05/Apr/2018:10:22:07.005039085 -0400] - DEBUG - NSACLPlugin - ***END ACL INFO***************************** [05/Apr/2018:10:22:07.018140269 -0400] - DEBUG - NSACLPlugin - acl__scan_for_acis - Num of ALLOW Handles:1, DENY handles:0 [05/Apr/2018:10:22:07.019993668 -0400] - DEBUG - NSACLPlugin - acl_access_allowed - Processed attr:objectClass for entry: [05/Apr/2018:10:22:07.021709963 -0400] - DEBUG - NSACLPlugin - acl__TestRights - 1. Evaluating ALLOW aci(1) " "rootdse anon read access"" [05/Apr/2018:10:22:07.023727845 -0400] - DEBUG - NSACLPlugin - DS_LASIpGetter - Returning client ip address '2620:52:0:ab0:1a:4aff:fe0a:b201' [05/Apr/2018:10:22:07.025660249 -0400] - DEBUG - NSACLPlugin - print_access_control_summary - conn=7 op=1 (main): Allow read on entry().attr(objectClass) to anonymous: allowed by aci(1): aciname= "rootdse anon read access", acidn="" Now I change the ACI to have a wildcard: aci: (targetattr != "aci")(version 3.0; aci "rootdse anon read access"; allow( read,search,compare) (userdn="ldap:///anyone") and (ip="2620:52:0:ab0:1a:4aff :fe0a:*");) I repeat the search and I have no entries returned: ldapsearch -xLLL -h 2620:52:0:ab0:21a:4aff:feeb:8b33 -p 389 -b "" -s base [05/Apr/2018:10:27:08.530010317 -0400] conn=3 fd=66 slot=66 connection from 2620:52:0:ab0:1a:4aff:fe0a:b201 to 2620:52:0:ab0:21a:4aff:feeb:8b33 [05/Apr/2018:10:27:08.531368455 -0400] conn=3 op=0 BIND dn="" method=128 version=3 [05/Apr/2018:10:27:08.531603453 -0400] conn=3 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [05/Apr/2018:10:27:08.534067668 -0400] conn=3 op=1 SRCH base="" scope=0 filter="(objectClass=*)" attrs=ALL [05/Apr/2018:10:27:10.587038289 -0400] conn=3 op=1 RESULT err=0 tag=101 nentries=0 etime=2 [05/Apr/2018:10:27:10.589254906 -0400] conn=3 op=2 UNBIND [05/Apr/2018:10:27:10.127377540 -0400] - DEBUG - NSACLPlugin - acl_access_allowed - #### conn=3 op=1 binddn="" [05/Apr/2018:10:27:10.131708129 -0400] - DEBUG - NSACLPlugin - ************ RESOURCE INFO STARTS ********* [05/Apr/2018:10:27:10.134327030 -0400] - DEBUG - NSACLPlugin - Client DN: [05/Apr/2018:10:27:10.136925213 -0400] - DEBUG - NSACLPlugin - resource type:256(read target_DN ) [05/Apr/2018:10:27:10.139307699 -0400] - DEBUG - NSACLPlugin - Slapi_Entry DN: [05/Apr/2018:10:27:10.142909107 -0400] - DEBUG - NSACLPlugin - ATTR: aci [05/Apr/2018:10:27:10.145285254 -0400] - DEBUG - NSACLPlugin - rights:read [05/Apr/2018:10:27:10.148306889 -0400] - DEBUG - NSACLPlugin - ************ RESOURCE INFO ENDS ********* [05/Apr/2018:10:27:10.151928932 -0400] - DEBUG - NSACLPlugin - acl__scan_for_acis - Using ACL Container:0 for evaluation [05/Apr/2018:10:27:10.154466473 -0400] - DEBUG - NSACLPlugin - acl__scan_for_acis - Num of ALLOW Handles:0, DENY handles:0 [05/Apr/2018:10:27:10.160276460 -0400] - DEBUG - NSACLPlugin - print_access_control_summary - conn=3 op=1 (main): Deny read on entry().attr(aci) to anonymous: no aci matched the resource [05/Apr/2018:10:27:10.163442162 -0400] - DEBUG - NSACLPlugin - acl__scan_for_acis - Using ACL Container:0 for evaluation [05/Apr/2018:10:27:10.165526266 -0400] - DEBUG - NSACLPlugin - ***BEGIN ACL INFO[ Name: "rootdse anon read access"]*** [05/Apr/2018:10:27:10.167542627 -0400] - DEBUG - NSACLPlugin - ACL Index:1 ACL_ELEVEL:0 [05/Apr/2018:10:27:10.169725199 -0400] - DEBUG - NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule ) [05/Apr/2018:10:27:10.172520501 -0400] - DEBUG - NSACLPlugin - ACI RULE type:(userdn ip ) [05/Apr/2018:10:27:10.175382325 -0400] - DEBUG - NSACLPlugin - Slapi_Entry DN: [05/Apr/2018:10:27:10.177841938 -0400] - DEBUG - NSACLPlugin - ***END ACL INFO***************************** [05/Apr/2018:10:27:10.180696121 -0400] - DEBUG - NSACLPlugin - acl__scan_for_acis - Num of ALLOW Handles:1, DENY handles:0 [05/Apr/2018:10:27:10.182950595 -0400] - DEBUG - NSACLPlugin - acl_access_allowed - Processed attr:objectClass for entry: [05/Apr/2018:10:27:10.184923794 -0400] - DEBUG - NSACLPlugin - acl__TestRights - 1. Evaluating ALLOW aci(1) " "rootdse anon read access"" [05/Apr/2018:10:27:10.188433340 -0400] - DEBUG - NSACLPlugin - DS_LASIpGetter - Returning client ip address '2620:52:0:ab0:1a:4aff:fe0a:b201' [05/Apr/2018:10:27:10.191564691 -0400] - DEBUG - NSACLPlugin - print_access_control_summary - conn=3 op=1 (main): Deny read on entry().attr(objectClass) to anonymous: no aci matched the subject by aci(1): aciname= "rootdse anon read access", acidn="" [05/Apr/2018:10:27:10.193361384 -0400] - DEBUG - NSACLPlugin - acl__scan_for_acis - Using ACL Container:0 for evaluation [05/Apr/2018:10:27:10.195279463 -0400] - DEBUG - NSACLPlugin - ***BEGIN ACL INFO[ Name: "rootdse anon read access"]*** [05/Apr/2018:10:27:10.197059187 -0400] - DEBUG - NSACLPlugin - ACL Index:1 ACL_ELEVEL:0 [05/Apr/2018:10:27:10.198834367 -0400] - DEBUG - NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule ) [05/Apr/2018:10:27:10.200602722 -0400] - DEBUG - NSACLPlugin - ACI RULE type:(userdn ip ) [05/Apr/2018:10:27:10.203510013 -0400] - DEBUG - NSACLPlugin - Slapi_Entry DN: [05/Apr/2018:10:27:10.205808014 -0400] - DEBUG - NSACLPlugin - ***END ACL INFO***************************** [05/Apr/2018:10:27:10.207749681 -0400] - DEBUG - NSACLPlugin - acl__scan_for_acis - Num of ALLOW Handles:1, DENY handles:0 [05/Apr/2018:10:27:10.209770519 -0400] - DEBUG - NSACLPlugin - acl_access_allowed - Processed attr:defaultnamingcontext for entry: [05/Apr/2018:10:27:10.212608588 -0400] - DEBUG - NSACLPlugin - acl__TestRights - 1. Evaluating ALLOW aci(1) " "rootdse anon read access"" [05/Apr/2018:10:27:10.214352335 -0400] - DEBUG - NSACLPlugin - acl__TestRights - Found READ SKIP in cache [05/Apr/2018:10:27:10.216110698 -0400] - DEBUG - NSACLPlugin - print_access_control_summary - conn=3 op=1 (main): Deny read on entry().attr(defaultnamingcontext) to anonymous: no aci matched the subject by aci(1): aciname= "rootdse anon read access", acidn="" [05/Apr/2018:10:27:10.217919548 -0400] - DEBUG - NSACLPlugin - acl__scan_for_acis - Using ACL Container:0 for evaluation [05/Apr/2018:10:27:10.219898799 -0400] - DEBUG - NSACLPlugin - ***BEGIN ACL INFO[ Name: "rootdse anon read access"]*** [05/Apr/2018:10:27:10.223004824 -0400] - DEBUG - NSACLPlugin - ACL Index:1 ACL_ELEVEL:0 [05/Apr/2018:10:27:10.224948080 -0400] - DEBUG - NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule ) [05/Apr/2018:10:27:10.226977912 -0400] - DEBUG - NSACLPlugin - ACI RULE type:(userdn ip ) [05/Apr/2018:10:27:10.228687273 -0400] - DEBUG - NSACLPlugin - Slapi_Entry DN: [05/Apr/2018:10:27:10.230837305 -0400] - DEBUG - NSACLPlugin - ***END ACL INFO***************************** [05/Apr/2018:10:27:10.232635971 -0400] - DEBUG - NSACLPlugin - acl__scan_for_acis - Num of ALLOW Handles:1, DENY handles:0 [05/Apr/2018:10:27:10.234436423 -0400] - DEBUG - NSACLPlugin - acl_access_allowed - Processed attr:dataversion for entry: [05/Apr/2018:10:27:10.236527595 -0400] - DEBUG - NSACLPlugin - acl__TestRights - 1. Evaluating ALLOW aci(1) " "rootdse anon read access"" [05/Apr/2018:10:27:10.240343568 -0400] - DEBUG - NSACLPlugin - acl__TestRights - Found READ SKIP in cache Version-Release number of selected component (if applicable): 389-ds-base-1.3.6.1-24.el7_4.x86_64
Metadata Update from @mreynolds: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1564171
Metadata Update from @mreynolds: - Issue assigned to mreynolds
So you can not use "*" wildcards with IPv6 in ACIs, but you can use CIDR Subnet prefix lengths.
So it would work like this:
2601:989:4400:4f30:128c:b936:66e7:58c6 2601:989:4400:4f30:128c:b936:66e7:* == 2601:989:4400:4f30:128c:b936:66e7::/112 2601:989:4400:4f30:128c:b936:* == 2601:989:4400:4f30:128c:b936::/96 (targetattr = "uid || cn") (version 3.0;acl "Enable anonymous access";allow (read,compare,search)(userdn = "ldap:///anyone") and (ip="2601:989:4400:4f30:128c:b936:66e7::/112");)
Metadata Update from @mreynolds: - Custom field component adjusted to None - Custom field origin adjusted to None - Custom field reviewstatus adjusted to None - Custom field type adjusted to None - Custom field version adjusted to None
Metadata Update from @mreynolds: - Issue close_status updated to: worksforme - Issue status updated to: Closed (was: Open)
Metadata Update from @vashirov: - Issue set to the milestone: None (was: 0.0 NEEDS_TRIAGE)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/2783
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: worksforme)
Login to comment on this ticket.