This is an automated email from the git hooks/post-receive script.

mreynolds pushed a commit to branch master in repository 389-ds-base.

The following commit(s) were added to refs/heads/master by this push: new 41c30fd Ticket 50378 - ACI's with IPv4 and IPv6 bind rules do not work for IPv6 clients 41c30fd is described below

commit 41c30fd557d4cc0aaaf8a9f7767d37746f4c4bc4 Author: Mark Reynolds mreynolds@redhat.com AuthorDate: Wed May 15 16:04:55 2019 -0400

Ticket 50378 - ACI's with IPv4 and IPv6 bind rules do not work for IPv6 clients

Description: When the client is a IPv6 client, any ACI's that contain bind rules for IPv4 addresses essentially break that aci causing it to not be fully evaluated.

For example we have an aci like this:

aci: (targetattr != "aci")(version 3.0; aci "rootdse anon read access"; allow( read,search,compare) userdn="ldap:///anyone" and (ip="127.0.0.1" or ip="2620:52:0:84:f816:3eff:fe4b:4f35");)

So when the client is IPv6 we start processing the IP addresses in the ACI, as soon as a IPv4 address is found the ACI evaluation stops and in this case the IPv6 address is never checked and access is denied.

The problem is that we set the wrong return code variable in libaccess

https://pagure.io/389-ds-base/issue/50378

Reviewed by: mreynolds (one line commit rule) --- lib/libaccess/lasip.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/libaccess/lasip.cpp b/lib/libaccess/lasip.cpp index eea7aff..30c546d 100644 --- a/lib/libaccess/lasip.cpp +++ b/lib/libaccess/lasip.cpp @@ -598,7 +598,7 @@ int LASIpEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator,

node = context->treetop_ipv6; if ( node == NULL ) { - retcode = (comparator == CMP_OP_EQ ? LAS_EVAL_FALSE : LAS_EVAL_TRUE); + rc = (comparator == CMP_OP_EQ ? LAS_EVAL_FALSE : LAS_EVAL_TRUE); } else { addr = PR_ntohs( ipv6->_S6_un._S6_u16[field]); for (bit = 127; bit >= 0 ; bit--, bit_position--) {