#50378 ACI's with IPv4 and IPv6 bind rules do not work for IPv6 clients
Closed: fixed 2 months ago by mreynolds. Opened 4 months ago by mreynolds.

Issue Description

When the client is a IPv6 client, any ACI's that contain bind rules for IPv4 addresses essentially break that aci causing it to not be fully evaluated.

For example we have an aci like this:

aci: (targetattr != "aci")(version 3.0; aci "rootdse anon read access"; allow(
read,search,compare) userdn="ldap:///anyone" and
(ip="127.0.0.1" or ip="2620:52:0:84:f816:3eff:fe4b:4f35");)

So when the client is IPv6 we start processing the IP addresses in the ACI, as soon as a IPv4 address is found the ACI evaluation stops and in this case the IPv6 address is never checked and access is denied.

The problem is that we set the wrong return code variable in libaccess - so this is a one line fix and it impacts all versions of DS.


Metadata Update from @mreynolds:
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None

4 months ago

d0da028..41c30fd master -> master

4470744..64a784f 389-ds-base-1.4.0 -> 389-ds-base-1.4.0

0a8a7b3..661ce15 389-ds-base-1.3.9 -> 389-ds-base-1.3.9

0419128..bbfad17 389-ds-base-1.3.8 -> 389-ds-base-1.3.8

Metadata Update from @mreynolds:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1710848

4 months ago

Commit 5e285f6 relates to this ticket

Metadata Update from @mreynolds:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 months ago

Login to comment on this ticket.

Metadata
Related Pull Requests