From 7264a239b71b4b5adc6740457586520ad0ba1d3f Mon Sep 17 00:00:00 2001

From: Mark Reynolds <mreynolds@redhat.com>

Date: Wed, 15 May 2019 16:04:55 -0400

Subject: [PATCH] Ticket 50378 - ACI's with IPv4 and IPv6 bind rules do not

 work for IPv6 clients

Description:  When the client is a IPv6 client, any ACI's that contain bind rules

              for IPv4 addresses essentially break that aci causing it to not be

              fully evaluated.

              For example we have an aci like this:

                 aci: (targetattr != "aci")(version 3.0; aci "rootdse anon read access"; allow(

                 read,search,compare) userdn="ldap:///anyone" and

                 (ip="127.0.0.1" or ip="2620:52:0:84:f816:3eff:fe4b:4f35");)

              So when the client is IPv6 we start processing the IP addresses in

              the ACI, as soon as a IPv4 address is found the ACI evaluation stops

              and in this case the IPv6 address is never checked and access is denied.

              The problem is that we set the wrong return code variable in libaccess

https://pagure.io/389-ds-base/issue/50378

Reviewed by: mreynolds (one line commit rule)

(cherry picked from commit 41c30fd557d4cc0aaaf8a9f7767d37746f4c4bc4)

---

 lib/libaccess/lasip.cpp | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/libaccess/lasip.cpp b/lib/libaccess/lasip.cpp

index eea7affba..30c546df7 100644

--- a/lib/libaccess/lasip.cpp

+++ b/lib/libaccess/lasip.cpp

@@ -598,7 +598,7 @@ int LASIpEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator,

         node = context->treetop_ipv6;

         if ( node == NULL ) {

-            retcode = (comparator == CMP_OP_EQ ? LAS_EVAL_FALSE : LAS_EVAL_TRUE);

+            rc = (comparator == CMP_OP_EQ ? LAS_EVAL_FALSE : LAS_EVAL_TRUE);

         } else {

             addr = PR_ntohs( ipv6->_S6_un._S6_u16[field]);

             for (bit = 127; bit >= 0 ; bit--, bit_position--) {

-- 

2.17.2