Bug 1387519

Summary:	ACl DNS host filter in Console accept IPv4 and IPv6
Product:	Red Hat Directory Server	Reporter:	Kamlesh <kchaudha>
Component:	Directory Console	Assignee:	mreynolds
Status:	CLOSED WONTFIX	QA Contact:	Viktor Ashirov <vashirov>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	10.0	CC:	kbanerje, mreynolds, nhosoi, nkinder
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-08-26 08:28:03 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Kamlesh 2016-10-21 07:34:16 UTC

Description of problem:
while setting the ACI Host filter it accept the IPv4 and IPv6 and aci work properly. 
 My finding 

1) set the Access permission in the host tab select DNS host filter use the hostname it show correct result 

(targetattr = "telephoneNumber") (target = "ldap:///ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com") (version 3.0;acl "test";deny (all)(userdn = "ldap:///cn=test,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" or userdn = "ldap:///cn=test1,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" or userdn = "ldap:///cn=test2,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" or userdn = "ldap:///cn=test3,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" or userdn = "ldap:///uid=test4,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com") and (dns="qe-blade-01.idmqe.lab.eng.bos.redhat.com");)
ldapsearch result

[root@qe-blade-01 ~]# ldapsearch -D "cn=test3,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" -h qe-blade-01.idmqe.lab.eng.bos.redhat.com -p 389 -w test1234 -b "ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" cn telephonenumber -x -LLL 
dn: ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com

dn: cn=test,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
cn: test

dn: cn=test1,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
cn: test1

dn: cn=test2,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
cn: test2

dn: cn=test3,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
cn: test3

dn: uid=test4,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
cn: test4

--------------------------------------------------------------------------
2) set the Access permission in the host tab select DNS host filter use the IPv4 it set the access control

(targetattr = "telephoneNumber") (target = "ldap:///ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com") (version 3.0;acl "test";deny (all)(userdn = "ldap:///cn=test,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" or userdn = "ldap:///cn=test1,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" or userdn = "ldap:///cn=test2,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" or userdn = "ldap:///cn=test3,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" or userdn = "ldap:///uid=test4,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com") and (dns="10.19.34.71");)

Search result
[root@qe-blade-01 ~]# ldapsearch -D "cn=test3,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" -h qe-blade-01.idmqe.lab.eng.bos.redhat.com -p 389 -w test1234 -b "ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" cn telephonenumber -x -LLL 
dn: ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com

dn: cn=test,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
cn: test

dn: cn=test1,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
cn: test1

dn: cn=test2,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
cn: test2

dn: cn=test3,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
cn: test3

dn: uid=test4,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
cn: test4
--------------------------------------------------------------------------------
3) set the Access permission in the host tab select DNS host filter use the IPv6 it set the access control

(targetattr = "telephoneNumber") (target = "ldap:///ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com") (version 3.0;acl "Test";deny (all)(userdn = "ldap:///cn=test,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" or userdn = "ldap:///cn=test1,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" or userdn = "ldap:///cn=test2,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" or userdn = "ldap:///cn=test3,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" or userdn = "ldap:///uid=test4,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com") and (dns="2620:52:0:1322:221:5eff:fe20:316a");)
ldapsearch result

[root@qe-blade-01 ~]# ldapsearch -D "cn=test3,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" -h qe-blade-01.idmqe.lab.eng.bos.redhat.com -p 389 -w test1234 -b "ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" cn telephonenumber -x -LLL 
dn: ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com

dn: cn=test,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
cn: test

dn: cn=test1,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
cn: test1

dn: cn=test2,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
cn: test2

dn: cn=test3,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
cn: test3

dn: uid=test4,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
cn: test4




Version-Release number of selected component (if applicable):
389-admin-console-doc-1.1.12-2.el7dsrv.noarch
389-adminutil-devel-1.1.23-2.el7dsrv.x86_64
redhat-idm-console-10.1.0-2.el7dsrv.x86_64
389-adminutil-1.1.23-2.el7dsrv.x86_64
389-ds-base-1.3.5.10-11.el7.x86_64
389-ds-console-1.2.15-1.el7dsrv.noarch
389-ds-console-doc-1.2.15-1.el7dsrv.noarch
redhat-idm-console-debuginfo-10.1.0-2.el7dsrv.x86_64
389-console-1.1.18-2.el7dsrv.noarch
389-admin-console-1.1.12-2.el7dsrv.noarch
389-admin-debuginfo-1.1.45-2.el7dsrv.x86_64
idm-console-framework-1.1.17-1.el7dsrv.noarch
389-ds-base-libs-1.3.5.10-11.el7.x86_64
389-admin-1.1.45-2.el7dsrv.x86_64


How reproducible:
Always

Steps to Reproduce:
1. In DS Console go to Directory tab; set access permission
2. Create new ACI
3. In Host tab Add entry in DNS host filter add Ipv4 IPv6


Additional info:
If we add the host name in IP address host filter it show deny attribute

Comment 1 Noriko Hosoi 2016-10-21 17:48:45 UTC

Reading the source code, only FQDN is supported for DNS.

/*    LASDnsMatch
 *    Given an array of fully-qualified dns names, tries to match them 
 *    against a given hash table.

Unfortunately, the doc does not mention it clearly, but it says "name" not "address".
13.1. Access Control Principles
For a specific location such as an IP address or a DNS name. 

I'd think this is an RFE not a defect.

And the product/component is RHEL/389-ds-base.

The priority is low.

Comment 2 Noriko Hosoi 2016-10-21 17:56:41 UTC

Ah, sorry, Kamlesh.  You meant the other way?

Since the server ACL does not support IPv6 addr, Console should reject it?

If so, I agree it should.  But again it's not a regression and not urgent...

Set it to RHDS 10.2.