389-ds-base

Clone
Source Code
GIT

#49724 aci with ip clause, ipv6 value, and wildcard is not working.
Closed: wontfix 5 years ago Opened 5 years ago by mreynolds.

Closed: wontfix
Reopen Issue

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1564171

Description of problem:

using this aci under null based dn, for instance:

aci: (targetattr != "aci")(version 3.0; aci "rootdse anon read access"; allow(
 read,search,compare) (userdn="ldap:///anyone") and (ip="2620:52:0:ab0:1a:4aff
 :fe0a:b201");)

And I do a search:

 ip a
   inet6 2620:52:0:ab0:1a:4aff:fe0a:b201/64 scope global noprefixroute dynamic


ldapsearch -xLLL -h 2620:52:0:ab0:21a:4aff:feeb:8b33 -p 389 -b "" -s base
dn:
objectClass: top
namingContexts: cn=changelog
namingContexts: dc=cgparente,dc=local
namingContexts: o=ipaca
defaultnamingcontext: dc=cgparente,dc=local
supportedExtension: 2.16.840.1.113730.3.5.7
supportedExtension: 2.16.840.1.113730.3.5.8
supportedExtension: 2.16.840.1.113730.3.5.10
supportedExtension: 2.16.840.1.113730.3.8.10.3
supportedExtension: 2.16.840.1.113730.3.8.10.4
supportedExtension: 2.16.840.1.113730.3.8.10.4.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 2.16.840.1.113730.3.8.10.1
supportedExtension: 2.16.840.1.113730.3.8.10.5
supportedExtension: 2.16.840.1.113730.3.5.3
supportedExtension: 2.16.840.1.113730.3.5.12
supportedExtension: 2.16.840.1.113730.3.5.5
supportedExtension: 2.16.840.1.113730.3.5.6
supportedExtension: 2.16.840.1.113730.3.5.9
supportedExtension: 2.16.840.1.113730.3.5.4
supportedExtension: 2.16.840.1.113730.3.6.5
supportedExtension: 2.16.840.1.113730.3.6.6
supportedExtension: 2.16.840.1.113730.3.6.7
supportedExtension: 2.16.840.1.113730.3.6.8
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 2.16.840.1.113730.3.4.3
supportedControl: 2.16.840.1.113730.3.4.4
supportedControl: 2.16.840.1.113730.3.4.5
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.16
supportedControl: 2.16.840.1.113730.3.4.15
supportedControl: 2.16.840.1.113730.3.4.17
supportedControl: 2.16.840.1.113730.3.4.19
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
supportedControl: 1.3.6.1.4.1.4203.666.5.16
supportedControl: 2.16.840.1.113730.3.8.10.6
supportedControl: 2.16.840.1.113730.3.8.10.7
supportedControl: 2.16.840.1.113730.3.4.14
supportedControl: 2.16.840.1.113730.3.4.20
supportedControl: 1.3.6.1.4.1.1466.29539.12
supportedControl: 2.16.840.1.113730.3.4.12
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.13
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: ANONYMOUS
supportedLDAPVersion: 2
supportedLDAPVersion: 3
vendorName: 389 Project
vendorVersion: 389-Directory/1.3.6.1 B2017.314.143
dataversion: 020180405142105020180405142105020180405142105
netscapemdsuffix: cn=ldap://dc=trustreplica,dc=cgparente,dc=local:389
lastusn: 42884
changeLog: cn=changelog
firstchangenumber: 344
lastchangenumber: 363
ipatopologypluginversion: 1.0
ipatopologyismanaged: off
ipaDomainLevel: 0


access logs:

[05/Apr/2018:10:22:06.968152786 -0400] conn=7 fd=66 slot=66 connection from
2620:52:0:ab0:1a:4aff:fe0a:b201 to 2620:52:0:ab0:21a:4aff:feeb:8b33
[05/Apr/2018:10:22:06.969131282 -0400] conn=7 op=0 BIND dn="" method=128
version=3
[05/Apr/2018:10:22:06.969400670 -0400] conn=7 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn=""
[05/Apr/2018:10:22:06.969914981 -0400] conn=7 op=1 SRCH base="" scope=0
filter="(objectClass=*)" attrs=ALL
[05/Apr/2018:10:22:07.579211022 -0400] conn=7 op=1 RESULT err=0 tag=101
nentries=1 etime=0
[05/Apr/2018:10:22:07.579935523 -0400] conn=7 op=2 UNBIND
[05/Apr/2018:10:22:07.579969091 -0400] conn=7 op=2 fd=66 closed - U1

errors logs:

[05/Apr/2018:10:22:06.995543617 -0400] - DEBUG - NSACLPlugin - ***BEGIN ACL
INFO[ Name: "rootdse anon read access"]***
[05/Apr/2018:10:22:06.997250733 -0400] - DEBUG - NSACLPlugin - ACL Index:1
ACL_ELEVEL:0
[05/Apr/2018:10:22:06.999011276 -0400] - DEBUG - NSACLPlugin - ACI
type:(compare search read target_attr acltxt target_attr_not allow_rule )
[05/Apr/2018:10:22:07.001440535 -0400] - DEBUG - NSACLPlugin - ACI RULE
type:(userdn ip )
[05/Apr/2018:10:22:07.003207665 -0400] - DEBUG - NSACLPlugin - Slapi_Entry DN:
[05/Apr/2018:10:22:07.005039085 -0400] - DEBUG - NSACLPlugin - ***END ACL
INFO*****************************
[05/Apr/2018:10:22:07.018140269 -0400] - DEBUG - NSACLPlugin -
acl__scan_for_acis - Num of ALLOW Handles:1, DENY handles:0
[05/Apr/2018:10:22:07.019993668 -0400] - DEBUG - NSACLPlugin -
acl_access_allowed - Processed attr:objectClass for entry:
[05/Apr/2018:10:22:07.021709963 -0400] - DEBUG - NSACLPlugin - acl__TestRights
- 1. Evaluating ALLOW aci(1) " "rootdse anon read access""
[05/Apr/2018:10:22:07.023727845 -0400] - DEBUG - NSACLPlugin - DS_LASIpGetter -
Returning client ip address '2620:52:0:ab0:1a:4aff:fe0a:b201'
[05/Apr/2018:10:22:07.025660249 -0400] - DEBUG - NSACLPlugin -
print_access_control_summary - conn=7 op=1 (main): Allow read on
entry().attr(objectClass) to anonymous: allowed by aci(1): aciname= "rootdse
anon read access", acidn=""


Now I change the ACI to have a wildcard:

aci: (targetattr != "aci")(version 3.0; aci "rootdse anon read access"; allow(
 read,search,compare) (userdn="ldap:///anyone") and (ip="2620:52:0:ab0:1a:4aff
 :fe0a:*");)


I repeat the search and I have no entries returned:

 ldapsearch -xLLL -h 2620:52:0:ab0:21a:4aff:feeb:8b33 -p 389 -b "" -s base

[05/Apr/2018:10:27:08.530010317 -0400] conn=3 fd=66 slot=66 connection from
2620:52:0:ab0:1a:4aff:fe0a:b201 to 2620:52:0:ab0:21a:4aff:feeb:8b33
[05/Apr/2018:10:27:08.531368455 -0400] conn=3 op=0 BIND dn="" method=128
version=3
[05/Apr/2018:10:27:08.531603453 -0400] conn=3 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn=""
[05/Apr/2018:10:27:08.534067668 -0400] conn=3 op=1 SRCH base="" scope=0
filter="(objectClass=*)" attrs=ALL
[05/Apr/2018:10:27:10.587038289 -0400] conn=3 op=1 RESULT err=0 tag=101
nentries=0 etime=2
[05/Apr/2018:10:27:10.589254906 -0400] conn=3 op=2 UNBIND

[05/Apr/2018:10:27:10.127377540 -0400] - DEBUG - NSACLPlugin -
acl_access_allowed - #### conn=3 op=1 binddn=""
[05/Apr/2018:10:27:10.131708129 -0400] - DEBUG - NSACLPlugin -     ************
RESOURCE INFO STARTS *********
[05/Apr/2018:10:27:10.134327030 -0400] - DEBUG - NSACLPlugin -     Client DN:
[05/Apr/2018:10:27:10.136925213 -0400] - DEBUG - NSACLPlugin -     resource
type:256(read target_DN )
[05/Apr/2018:10:27:10.139307699 -0400] - DEBUG - NSACLPlugin -     Slapi_Entry
DN:
[05/Apr/2018:10:27:10.142909107 -0400] - DEBUG - NSACLPlugin -     ATTR: aci
[05/Apr/2018:10:27:10.145285254 -0400] - DEBUG - NSACLPlugin -     rights:read
[05/Apr/2018:10:27:10.148306889 -0400] - DEBUG - NSACLPlugin -     ************
RESOURCE INFO ENDS   *********
[05/Apr/2018:10:27:10.151928932 -0400] - DEBUG - NSACLPlugin -
acl__scan_for_acis - Using ACL Container:0 for evaluation
[05/Apr/2018:10:27:10.154466473 -0400] - DEBUG - NSACLPlugin -
acl__scan_for_acis - Num of ALLOW Handles:0, DENY handles:0
[05/Apr/2018:10:27:10.160276460 -0400] - DEBUG - NSACLPlugin -
print_access_control_summary - conn=3 op=1 (main): Deny read on
entry().attr(aci) to anonymous: no aci matched the resource
[05/Apr/2018:10:27:10.163442162 -0400] - DEBUG - NSACLPlugin -
acl__scan_for_acis - Using ACL Container:0 for evaluation
[05/Apr/2018:10:27:10.165526266 -0400] - DEBUG - NSACLPlugin - ***BEGIN ACL
INFO[ Name: "rootdse anon read access"]***
[05/Apr/2018:10:27:10.167542627 -0400] - DEBUG - NSACLPlugin - ACL Index:1
ACL_ELEVEL:0
[05/Apr/2018:10:27:10.169725199 -0400] - DEBUG - NSACLPlugin - ACI
type:(compare search read target_attr acltxt target_attr_not allow_rule )
[05/Apr/2018:10:27:10.172520501 -0400] - DEBUG - NSACLPlugin - ACI RULE
type:(userdn ip )
[05/Apr/2018:10:27:10.175382325 -0400] - DEBUG - NSACLPlugin - Slapi_Entry DN:
[05/Apr/2018:10:27:10.177841938 -0400] - DEBUG - NSACLPlugin - ***END ACL
INFO*****************************
[05/Apr/2018:10:27:10.180696121 -0400] - DEBUG - NSACLPlugin -
acl__scan_for_acis - Num of ALLOW Handles:1, DENY handles:0
[05/Apr/2018:10:27:10.182950595 -0400] - DEBUG - NSACLPlugin -
acl_access_allowed - Processed attr:objectClass for entry:
[05/Apr/2018:10:27:10.184923794 -0400] - DEBUG - NSACLPlugin - acl__TestRights
- 1. Evaluating ALLOW aci(1) " "rootdse anon read access""
[05/Apr/2018:10:27:10.188433340 -0400] - DEBUG - NSACLPlugin - DS_LASIpGetter -
Returning client ip address '2620:52:0:ab0:1a:4aff:fe0a:b201'
[05/Apr/2018:10:27:10.191564691 -0400] - DEBUG - NSACLPlugin -
print_access_control_summary - conn=3 op=1 (main): Deny read on
entry().attr(objectClass) to anonymous: no aci matched the subject by aci(1):
aciname= "rootdse anon read access", acidn=""
[05/Apr/2018:10:27:10.193361384 -0400] - DEBUG - NSACLPlugin -
acl__scan_for_acis - Using ACL Container:0 for evaluation
[05/Apr/2018:10:27:10.195279463 -0400] - DEBUG - NSACLPlugin - ***BEGIN ACL
INFO[ Name: "rootdse anon read access"]***
[05/Apr/2018:10:27:10.197059187 -0400] - DEBUG - NSACLPlugin - ACL Index:1
ACL_ELEVEL:0
[05/Apr/2018:10:27:10.198834367 -0400] - DEBUG - NSACLPlugin - ACI
type:(compare search read target_attr acltxt target_attr_not allow_rule )
[05/Apr/2018:10:27:10.200602722 -0400] - DEBUG - NSACLPlugin - ACI RULE
type:(userdn ip )
[05/Apr/2018:10:27:10.203510013 -0400] - DEBUG - NSACLPlugin - Slapi_Entry DN:
[05/Apr/2018:10:27:10.205808014 -0400] - DEBUG - NSACLPlugin - ***END ACL
INFO*****************************
[05/Apr/2018:10:27:10.207749681 -0400] - DEBUG - NSACLPlugin -
acl__scan_for_acis - Num of ALLOW Handles:1, DENY handles:0
[05/Apr/2018:10:27:10.209770519 -0400] - DEBUG - NSACLPlugin -
acl_access_allowed - Processed attr:defaultnamingcontext for entry:
[05/Apr/2018:10:27:10.212608588 -0400] - DEBUG - NSACLPlugin - acl__TestRights
- 1. Evaluating ALLOW aci(1) " "rootdse anon read access""
[05/Apr/2018:10:27:10.214352335 -0400] - DEBUG - NSACLPlugin - acl__TestRights
- Found READ SKIP in cache
[05/Apr/2018:10:27:10.216110698 -0400] - DEBUG - NSACLPlugin -
print_access_control_summary - conn=3 op=1 (main): Deny read on
entry().attr(defaultnamingcontext) to anonymous: no aci matched the subject by
aci(1): aciname= "rootdse anon read access", acidn=""
[05/Apr/2018:10:27:10.217919548 -0400] - DEBUG - NSACLPlugin -
acl__scan_for_acis - Using ACL Container:0 for evaluation
[05/Apr/2018:10:27:10.219898799 -0400] - DEBUG - NSACLPlugin - ***BEGIN ACL
INFO[ Name: "rootdse anon read access"]***
[05/Apr/2018:10:27:10.223004824 -0400] - DEBUG - NSACLPlugin - ACL Index:1
ACL_ELEVEL:0
[05/Apr/2018:10:27:10.224948080 -0400] - DEBUG - NSACLPlugin - ACI
type:(compare search read target_attr acltxt target_attr_not allow_rule )
[05/Apr/2018:10:27:10.226977912 -0400] - DEBUG - NSACLPlugin - ACI RULE
type:(userdn ip )
[05/Apr/2018:10:27:10.228687273 -0400] - DEBUG - NSACLPlugin - Slapi_Entry DN:
[05/Apr/2018:10:27:10.230837305 -0400] - DEBUG - NSACLPlugin - ***END ACL
INFO*****************************
[05/Apr/2018:10:27:10.232635971 -0400] - DEBUG - NSACLPlugin -
acl__scan_for_acis - Num of ALLOW Handles:1, DENY handles:0
[05/Apr/2018:10:27:10.234436423 -0400] - DEBUG - NSACLPlugin -
acl_access_allowed - Processed attr:dataversion for entry:
[05/Apr/2018:10:27:10.236527595 -0400] - DEBUG - NSACLPlugin - acl__TestRights
- 1. Evaluating ALLOW aci(1) " "rootdse anon read access""
[05/Apr/2018:10:27:10.240343568 -0400] - DEBUG - NSACLPlugin - acl__TestRights
- Found READ SKIP in cache


Version-Release number of selected component (if applicable):

389-ds-base-1.3.6.1-24.el7_4.x86_64

Metadata Update from @mreynolds:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1564171
5 years ago

Metadata Update from @mreynolds:
- Issue assigned to mreynolds
5 years ago

So you can not use "*" wildcards with IPv6 in ACIs, but you can use CIDR Subnet prefix lengths.

So it would work like this:

2601:989:4400:4f30:128c:b936:66e7:58c6

2601:989:4400:4f30:128c:b936:66e7:*  == 2601:989:4400:4f30:128c:b936:66e7::/112
2601:989:4400:4f30:128c:b936:*       == 2601:989:4400:4f30:128c:b936::/96

(targetattr = "uid || cn") (version 3.0;acl "Enable anonymous access";allow (read,compare,search)(userdn = "ldap:///anyone") and (ip="2601:989:4400:4f30:128c:b936:66e7::/112");)
Edited 5 years ago by mreynolds

Metadata Update from @mreynolds:
- Custom field component adjusted to None
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None
- Custom field type adjusted to None
- Custom field version adjusted to None
5 years ago

Metadata Update from @mreynolds:
- Issue close_status updated to: worksforme
- Issue status updated to: Closed (was: Open)
5 years ago

Metadata Update from @vashirov:
- Issue set to the milestone: None (was: 0.0 NEEDS_TRIAGE)
4 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/2783

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: worksforme)
3 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.