From 7264a239b71b4b5adc6740457586520ad0ba1d3f Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Wed, 15 May 2019 16:04:55 -0400
Subject: [PATCH] Ticket 50378 - ACI's with IPv4 and IPv6 bind rules do not
work for IPv6 clients
Description: When the client is a IPv6 client, any ACI's that contain bind rules
for IPv4 addresses essentially break that aci causing it to not be
fully evaluated.
For example we have an aci like this:
aci: (targetattr != "aci")(version 3.0; aci "rootdse anon read access"; allow(
read,search,compare) userdn="ldap:///anyone" and
(ip="127.0.0.1" or ip="2620:52:0:84:f816:3eff:fe4b:4f35");)
So when the client is IPv6 we start processing the IP addresses in
the ACI, as soon as a IPv4 address is found the ACI evaluation stops
and in this case the IPv6 address is never checked and access is denied.
The problem is that we set the wrong return code variable in libaccess
https://pagure.io/389-ds-base/issue/50378
Reviewed by: mreynolds (one line commit rule)
(cherry picked from commit 41c30fd557d4cc0aaaf8a9f7767d37746f4c4bc4)
---
lib/libaccess/lasip.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/libaccess/lasip.cpp b/lib/libaccess/lasip.cpp
index eea7affba..30c546df7 100644
--- a/lib/libaccess/lasip.cpp
+++ b/lib/libaccess/lasip.cpp
@@ -598,7 +598,7 @@ int LASIpEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator,
node = context->treetop_ipv6;
if ( node == NULL ) {
- retcode = (comparator == CMP_OP_EQ ? LAS_EVAL_FALSE : LAS_EVAL_TRUE);
+ rc = (comparator == CMP_OP_EQ ? LAS_EVAL_FALSE : LAS_EVAL_TRUE);
} else {
addr = PR_ntohs( ipv6->_S6_un._S6_u16[field]);
for (bit = 127; bit >= 0 ; bit--, bit_position--) {
--
2.17.2