Bug 1564171

Summary: aci with ip clause, ipv6 value, and wildcard is not working.
Product: Red Hat Enterprise Linux 7 Reporter: German Parente <gparente>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED WORKSFORME QA Contact: Viktor Ashirov <vashirov>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: gparente, nkinder, rmeggins
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-07 12:24:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description German Parente 2018-04-05 14:32:39 UTC 
Description of problem:

using this aci under null based dn, for instance:

aci: (targetattr != "aci")(version 3.0; aci "rootdse anon read access"; allow(
 read,search,compare) (userdn="ldap:///anyone") and (ip="2620:52:0:ab0:1a:4aff
 :fe0a:b201");)

And I do a search:

 ip a
   inet6 2620:52:0:ab0:1a:4aff:fe0a:b201/64 scope global noprefixroute dynamic


ldapsearch -xLLL -h 2620:52:0:ab0:21a:4aff:feeb:8b33 -p 389 -b "" -s base
dn:
objectClass: top
namingContexts: cn=changelog
namingContexts: dc=cgparente,dc=local
namingContexts: o=ipaca
defaultnamingcontext: dc=cgparente,dc=local
supportedExtension: 2.16.840.1.113730.3.5.7
supportedExtension: 2.16.840.1.113730.3.5.8
supportedExtension: 2.16.840.1.113730.3.5.10
supportedExtension: 2.16.840.1.113730.3.8.10.3
supportedExtension: 2.16.840.1.113730.3.8.10.4
supportedExtension: 2.16.840.1.113730.3.8.10.4.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 2.16.840.1.113730.3.8.10.1
supportedExtension: 2.16.840.1.113730.3.8.10.5
supportedExtension: 2.16.840.1.113730.3.5.3
supportedExtension: 2.16.840.1.113730.3.5.12
supportedExtension: 2.16.840.1.113730.3.5.5
supportedExtension: 2.16.840.1.113730.3.5.6
supportedExtension: 2.16.840.1.113730.3.5.9
supportedExtension: 2.16.840.1.113730.3.5.4
supportedExtension: 2.16.840.1.113730.3.6.5
supportedExtension: 2.16.840.1.113730.3.6.6
supportedExtension: 2.16.840.1.113730.3.6.7
supportedExtension: 2.16.840.1.113730.3.6.8
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 2.16.840.1.113730.3.4.3
supportedControl: 2.16.840.1.113730.3.4.4
supportedControl: 2.16.840.1.113730.3.4.5
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.16
supportedControl: 2.16.840.1.113730.3.4.15
supportedControl: 2.16.840.1.113730.3.4.17
supportedControl: 2.16.840.1.113730.3.4.19
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
supportedControl: 1.3.6.1.4.1.4203.666.5.16
supportedControl: 2.16.840.1.113730.3.8.10.6
supportedControl: 2.16.840.1.113730.3.8.10.7
supportedControl: 2.16.840.1.113730.3.4.14
supportedControl: 2.16.840.1.113730.3.4.20
supportedControl: 1.3.6.1.4.1.1466.29539.12
supportedControl: 2.16.840.1.113730.3.4.12
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.13
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: ANONYMOUS
supportedLDAPVersion: 2
supportedLDAPVersion: 3
vendorName: 389 Project
vendorVersion: 389-Directory/1.3.6.1 B2017.314.143
dataversion: 020180405142105020180405142105020180405142105
netscapemdsuffix: cn=ldap://dc=trustreplica,dc=cgparente,dc=local:389
lastusn: 42884
changeLog: cn=changelog
firstchangenumber: 344
lastchangenumber: 363
ipatopologypluginversion: 1.0
ipatopologyismanaged: off
ipaDomainLevel: 0


access logs:

[05/Apr/2018:10:22:06.968152786 -0400] conn=7 fd=66 slot=66 connection from 2620:52:0:ab0:1a:4aff:fe0a:b201 to 2620:52:0:ab0:21a:4aff:feeb:8b33
[05/Apr/2018:10:22:06.969131282 -0400] conn=7 op=0 BIND dn="" method=128 version=3
[05/Apr/2018:10:22:06.969400670 -0400] conn=7 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
[05/Apr/2018:10:22:06.969914981 -0400] conn=7 op=1 SRCH base="" scope=0 filter="(objectClass=*)" attrs=ALL
[05/Apr/2018:10:22:07.579211022 -0400] conn=7 op=1 RESULT err=0 tag=101 nentries=1 etime=0
[05/Apr/2018:10:22:07.579935523 -0400] conn=7 op=2 UNBIND
[05/Apr/2018:10:22:07.579969091 -0400] conn=7 op=2 fd=66 closed - U1

errors logs:

[05/Apr/2018:10:22:06.995543617 -0400] - DEBUG - NSACLPlugin - ***BEGIN ACL INFO[ Name: "rootdse anon read access"]***
[05/Apr/2018:10:22:06.997250733 -0400] - DEBUG - NSACLPlugin - ACL Index:1   ACL_ELEVEL:0
[05/Apr/2018:10:22:06.999011276 -0400] - DEBUG - NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule )
[05/Apr/2018:10:22:07.001440535 -0400] - DEBUG - NSACLPlugin - ACI RULE type:(userdn ip )
[05/Apr/2018:10:22:07.003207665 -0400] - DEBUG - NSACLPlugin - Slapi_Entry DN:
[05/Apr/2018:10:22:07.005039085 -0400] - DEBUG - NSACLPlugin - ***END ACL INFO*****************************
[05/Apr/2018:10:22:07.018140269 -0400] - DEBUG - NSACLPlugin - acl__scan_for_acis - Num of ALLOW Handles:1, DENY handles:0
[05/Apr/2018:10:22:07.019993668 -0400] - DEBUG - NSACLPlugin - acl_access_allowed - Processed attr:objectClass for entry:
[05/Apr/2018:10:22:07.021709963 -0400] - DEBUG - NSACLPlugin - acl__TestRights - 1. Evaluating ALLOW aci(1) " "rootdse anon read access""
[05/Apr/2018:10:22:07.023727845 -0400] - DEBUG - NSACLPlugin - DS_LASIpGetter - Returning client ip address '2620:52:0:ab0:1a:4aff:fe0a:b201'
[05/Apr/2018:10:22:07.025660249 -0400] - DEBUG - NSACLPlugin - print_access_control_summary - conn=7 op=1 (main): Allow read on entry().attr(objectClass) to anonymous: allowed by aci(1): aciname= "rootdse anon read access", acidn=""


Now I change the ACI to have a wildcard:

aci: (targetattr != "aci")(version 3.0; aci "rootdse anon read access"; allow(
 read,search,compare) (userdn="ldap:///anyone") and (ip="2620:52:0:ab0:1a:4aff
 :fe0a:*");)


I repeat the search and I have no entries returned:

 ldapsearch -xLLL -h 2620:52:0:ab0:21a:4aff:feeb:8b33 -p 389 -b "" -s base

[05/Apr/2018:10:27:08.530010317 -0400] conn=3 fd=66 slot=66 connection from 2620:52:0:ab0:1a:4aff:fe0a:b201 to 2620:52:0:ab0:21a:4aff:feeb:8b33
[05/Apr/2018:10:27:08.531368455 -0400] conn=3 op=0 BIND dn="" method=128 version=3
[05/Apr/2018:10:27:08.531603453 -0400] conn=3 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
[05/Apr/2018:10:27:08.534067668 -0400] conn=3 op=1 SRCH base="" scope=0 filter="(objectClass=*)" attrs=ALL
[05/Apr/2018:10:27:10.587038289 -0400] conn=3 op=1 RESULT err=0 tag=101 nentries=0 etime=2
[05/Apr/2018:10:27:10.589254906 -0400] conn=3 op=2 UNBIND

[05/Apr/2018:10:27:10.127377540 -0400] - DEBUG - NSACLPlugin - acl_access_allowed - #### conn=3 op=1 binddn=""
[05/Apr/2018:10:27:10.131708129 -0400] - DEBUG - NSACLPlugin -     ************ RESOURCE INFO STARTS *********
[05/Apr/2018:10:27:10.134327030 -0400] - DEBUG - NSACLPlugin -     Client DN:
[05/Apr/2018:10:27:10.136925213 -0400] - DEBUG - NSACLPlugin -     resource type:256(read target_DN )
[05/Apr/2018:10:27:10.139307699 -0400] - DEBUG - NSACLPlugin -     Slapi_Entry DN:
[05/Apr/2018:10:27:10.142909107 -0400] - DEBUG - NSACLPlugin -     ATTR: aci
[05/Apr/2018:10:27:10.145285254 -0400] - DEBUG - NSACLPlugin -     rights:read
[05/Apr/2018:10:27:10.148306889 -0400] - DEBUG - NSACLPlugin -     ************ RESOURCE INFO ENDS   *********
[05/Apr/2018:10:27:10.151928932 -0400] - DEBUG - NSACLPlugin - acl__scan_for_acis - Using ACL Container:0 for evaluation
[05/Apr/2018:10:27:10.154466473 -0400] - DEBUG - NSACLPlugin - acl__scan_for_acis - Num of ALLOW Handles:0, DENY handles:0
[05/Apr/2018:10:27:10.160276460 -0400] - DEBUG - NSACLPlugin - print_access_control_summary - conn=3 op=1 (main): Deny read on entry().attr(aci) to anonymous: no aci matched the resource
[05/Apr/2018:10:27:10.163442162 -0400] - DEBUG - NSACLPlugin - acl__scan_for_acis - Using ACL Container:0 for evaluation
[05/Apr/2018:10:27:10.165526266 -0400] - DEBUG - NSACLPlugin - ***BEGIN ACL INFO[ Name: "rootdse anon read access"]***
[05/Apr/2018:10:27:10.167542627 -0400] - DEBUG - NSACLPlugin - ACL Index:1   ACL_ELEVEL:0
[05/Apr/2018:10:27:10.169725199 -0400] - DEBUG - NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule )
[05/Apr/2018:10:27:10.172520501 -0400] - DEBUG - NSACLPlugin - ACI RULE type:(userdn ip )
[05/Apr/2018:10:27:10.175382325 -0400] - DEBUG - NSACLPlugin - Slapi_Entry DN:
[05/Apr/2018:10:27:10.177841938 -0400] - DEBUG - NSACLPlugin - ***END ACL INFO*****************************
[05/Apr/2018:10:27:10.180696121 -0400] - DEBUG - NSACLPlugin - acl__scan_for_acis - Num of ALLOW Handles:1, DENY handles:0
[05/Apr/2018:10:27:10.182950595 -0400] - DEBUG - NSACLPlugin - acl_access_allowed - Processed attr:objectClass for entry:
[05/Apr/2018:10:27:10.184923794 -0400] - DEBUG - NSACLPlugin - acl__TestRights - 1. Evaluating ALLOW aci(1) " "rootdse anon read access""
[05/Apr/2018:10:27:10.188433340 -0400] - DEBUG - NSACLPlugin - DS_LASIpGetter - Returning client ip address '2620:52:0:ab0:1a:4aff:fe0a:b201'
[05/Apr/2018:10:27:10.191564691 -0400] - DEBUG - NSACLPlugin - print_access_control_summary - conn=3 op=1 (main): Deny read on entry().attr(objectClass) to anonymous: no aci matched the subject by aci(1): aciname= "rootdse anon read access", acidn=""
[05/Apr/2018:10:27:10.193361384 -0400] - DEBUG - NSACLPlugin - acl__scan_for_acis - Using ACL Container:0 for evaluation
[05/Apr/2018:10:27:10.195279463 -0400] - DEBUG - NSACLPlugin - ***BEGIN ACL INFO[ Name: "rootdse anon read access"]***
[05/Apr/2018:10:27:10.197059187 -0400] - DEBUG - NSACLPlugin - ACL Index:1   ACL_ELEVEL:0
[05/Apr/2018:10:27:10.198834367 -0400] - DEBUG - NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule )
[05/Apr/2018:10:27:10.200602722 -0400] - DEBUG - NSACLPlugin - ACI RULE type:(userdn ip )
[05/Apr/2018:10:27:10.203510013 -0400] - DEBUG - NSACLPlugin - Slapi_Entry DN:
[05/Apr/2018:10:27:10.205808014 -0400] - DEBUG - NSACLPlugin - ***END ACL INFO*****************************
[05/Apr/2018:10:27:10.207749681 -0400] - DEBUG - NSACLPlugin - acl__scan_for_acis - Num of ALLOW Handles:1, DENY handles:0
[05/Apr/2018:10:27:10.209770519 -0400] - DEBUG - NSACLPlugin - acl_access_allowed - Processed attr:defaultnamingcontext for entry:
[05/Apr/2018:10:27:10.212608588 -0400] - DEBUG - NSACLPlugin - acl__TestRights - 1. Evaluating ALLOW aci(1) " "rootdse anon read access""
[05/Apr/2018:10:27:10.214352335 -0400] - DEBUG - NSACLPlugin - acl__TestRights - Found READ SKIP in cache
[05/Apr/2018:10:27:10.216110698 -0400] - DEBUG - NSACLPlugin - print_access_control_summary - conn=3 op=1 (main): Deny read on entry().attr(defaultnamingcontext) to anonymous: no aci matched the subject by aci(1): aciname= "rootdse anon read access", acidn=""
[05/Apr/2018:10:27:10.217919548 -0400] - DEBUG - NSACLPlugin - acl__scan_for_acis - Using ACL Container:0 for evaluation
[05/Apr/2018:10:27:10.219898799 -0400] - DEBUG - NSACLPlugin - ***BEGIN ACL INFO[ Name: "rootdse anon read access"]***
[05/Apr/2018:10:27:10.223004824 -0400] - DEBUG - NSACLPlugin - ACL Index:1   ACL_ELEVEL:0
[05/Apr/2018:10:27:10.224948080 -0400] - DEBUG - NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule )
[05/Apr/2018:10:27:10.226977912 -0400] - DEBUG - NSACLPlugin - ACI RULE type:(userdn ip )
[05/Apr/2018:10:27:10.228687273 -0400] - DEBUG - NSACLPlugin - Slapi_Entry DN:
[05/Apr/2018:10:27:10.230837305 -0400] - DEBUG - NSACLPlugin - ***END ACL INFO*****************************
[05/Apr/2018:10:27:10.232635971 -0400] - DEBUG - NSACLPlugin - acl__scan_for_acis - Num of ALLOW Handles:1, DENY handles:0
[05/Apr/2018:10:27:10.234436423 -0400] - DEBUG - NSACLPlugin - acl_access_allowed - Processed attr:dataversion for entry:
[05/Apr/2018:10:27:10.236527595 -0400] - DEBUG - NSACLPlugin - acl__TestRights - 1. Evaluating ALLOW aci(1) " "rootdse anon read access""
[05/Apr/2018:10:27:10.240343568 -0400] - DEBUG - NSACLPlugin - acl__TestRights - Found READ SKIP in cache


Version-Release number of selected component (if applicable):

389-ds-base-1.3.6.1-24.el7_4.x86_64
Comment 2 mreynolds 2018-04-05 14:36:42 UTC 
Do IPv4 addresses with wildcards work?  Or is it just IPv6?
Comment 5 German Parente 2018-04-05 14:52:14 UTC 
I have tested wildcard and ipv4 and it works fine:

aci: (targetattr != "aci")(version 3.0; aci "rootdse anon read access"; allow(
 read,search,compare) (userdn="ldap:///anyone") and (ip="10.10.179.*");)
Comment 6 mreynolds 2018-05-25 15:43:18 UTC 
Upstream ticket:
https://pagure.io/389-ds-base/issue/49724
Comment 7 mreynolds 2018-05-25 19:31:58 UTC 
So you can not use "*" wildcards with IPv6 in ACIs, but you can use CIDR Subnets prefix lengths


So it would work like this:

2601:989:4400:4f30:128c:b936:66e7:58c6

2601:989:4400:4f30:128c:b936:66e7:*  == 2601:989:4400:4f30:128c:b936:66e7::/112
2601:989:4400:4f30:128c:b936:*       == 2601:989:4400:4f30:128c:b936::/96

(targetattr = "uid || cn") (version 3.0;acl "Enable anonymous access";allow (read,compare,search)(userdn = "ldap:///anyone") and (ip="2601:989:4400:4f30:128c:b936:66e7::/112");)