Home Explore Help
Register Sign In
Apq
/
389-ds-base
mirror of https://github.com/389ds/389-ds-base.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Ticket 50378 - ACI's with IPv4 and IPv6 bind rules do not work for IPv6 clients

Description:  When the client is a IPv6 client, any ACI's that contain bind rules
              for IPv4 addresses essentially break that aci causing it to not be
              fully evaluated.

              For example we have an aci like this:

                 aci: (targetattr != "aci")(version 3.0; aci "rootdse anon read access"; allow(
                 read,search,compare) userdn="ldap:///anyone" and
                 (ip="127.0.0.1" or ip="2620:52:0:84:f816:3eff:fe4b:4f35");)

              So when the client is IPv6 we start processing the IP addresses in
              the ACI, as soon as a IPv4 address is found the ACI evaluation stops
              and in this case the IPv6 address is never checked and access is denied.

              The problem is that we set the wrong return code variable in libaccess

https://pagure.io/389-ds-base/issue/50378

Reviewed by: mreynolds (one line commit rule)
Mark Reynolds 6 years ago
parent
d0da0284d0
commit
41c30fd557
1 changed files with 1 additions and 1 deletions
Split View Show Diff Stats
  1. 1 1
      lib/libaccess/lasip.cpp

+ 1 - 1
lib/libaccess/lasip.cpp
View File 

@@ -598,7 +598,7 @@ int LASIpEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator,
 
 
         node = context->treetop_ipv6;
 
         if ( node == NULL ) {
 
-            retcode = (comparator == CMP_OP_EQ ? LAS_EVAL_FALSE : LAS_EVAL_TRUE);
 
+            rc = (comparator == CMP_OP_EQ ? LAS_EVAL_FALSE : LAS_EVAL_TRUE);
 
         } else {
 
             addr = PR_ntohs( ipv6->_S6_un._S6_u16[field]);
 
             for (bit = 127; bit >= 0 ; bit--, bit_position--) {