andykimpe / rpms / 389-ds-base

Forked from rpms/389-ds-base 5 months ago
Clone

Blame SOURCES/0025-Ticket-50378-ACI-s-with-IPv4-and-IPv6-bind-rules-do-.patch

26521d
From 7264a239b71b4b5adc6740457586520ad0ba1d3f Mon Sep 17 00:00:00 2001
26521d
From: Mark Reynolds <mreynolds@redhat.com>
26521d
Date: Wed, 15 May 2019 16:04:55 -0400
26521d
Subject: [PATCH] Ticket 50378 - ACI's with IPv4 and IPv6 bind rules do not
26521d
 work for IPv6 clients
26521d
26521d
Description:  When the client is a IPv6 client, any ACI's that contain bind rules
26521d
              for IPv4 addresses essentially break that aci causing it to not be
26521d
              fully evaluated.
26521d
26521d
              For example we have an aci like this:
26521d
26521d
                 aci: (targetattr != "aci")(version 3.0; aci "rootdse anon read access"; allow(
26521d
                 read,search,compare) userdn="ldap:///anyone" and
26521d
                 (ip="127.0.0.1" or ip="2620:52:0:84:f816:3eff:fe4b:4f35");)
26521d
26521d
              So when the client is IPv6 we start processing the IP addresses in
26521d
              the ACI, as soon as a IPv4 address is found the ACI evaluation stops
26521d
              and in this case the IPv6 address is never checked and access is denied.
26521d
26521d
              The problem is that we set the wrong return code variable in libaccess
26521d
26521d
https://pagure.io/389-ds-base/issue/50378
26521d
26521d
Reviewed by: mreynolds (one line commit rule)
26521d
26521d
(cherry picked from commit 41c30fd557d4cc0aaaf8a9f7767d37746f4c4bc4)
26521d
---
26521d
 lib/libaccess/lasip.cpp | 2 +-
26521d
 1 file changed, 1 insertion(+), 1 deletion(-)
26521d
26521d
diff --git a/lib/libaccess/lasip.cpp b/lib/libaccess/lasip.cpp
26521d
index eea7affba..30c546df7 100644
26521d
--- a/lib/libaccess/lasip.cpp
26521d
+++ b/lib/libaccess/lasip.cpp
26521d
@@ -598,7 +598,7 @@ int LASIpEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator,
26521d
 
26521d
         node = context->treetop_ipv6;
26521d
         if ( node == NULL ) {
26521d
-            retcode = (comparator == CMP_OP_EQ ? LAS_EVAL_FALSE : LAS_EVAL_TRUE);
26521d
+            rc = (comparator == CMP_OP_EQ ? LAS_EVAL_FALSE : LAS_EVAL_TRUE);
26521d
         } else {
26521d
             addr = PR_ntohs( ipv6->_S6_un._S6_u16[field]);
26521d
             for (bit = 127; bit >= 0 ; bit--, bit_position--) {
26521d
-- 
26521d
2.17.2
26521d