Bug 1807537

Summary: wildcards in rootdn-allow-ip attribute are not accepted
Product: Red Hat Enterprise Linux 7 Reporter: mreynolds
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: RHDS QE <ds-qe-bugs>
Severity: unspecified Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: unspecified    
Version: 7.4CC: pasik, sam, spichugi, tbordaz, vashirov
Target Milestone: rcKeywords: TestCaseProvided
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.10.2-2.el7 Doc Type: Bug Fix
Doc Text:
.Directory Server no longer rejects wildcards in the `rootdn-allow-ip` and `rootdn-deny-ip` parameters Previously, when an administrator tried to set a wildcard in the `rootdn-allow-ip` or `rootdn-deny-ip` parameters in the `cn=RootDN Access Control Plugin,cn=plugins,cn=config` entry, Directory Server rejected the value. With this update, you can use wildcards when specifying allowed or denied IP addresses in the mentioned parameters.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-29 19:46:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description mreynolds 2020-02-26 15:08:59 UTC 
This bug is created as a clone of upstream ticket:
https://pagure.io/389-ds-base/issue/50800

#### Issue Description
Attempting to use a wildcard in the rootdn-allow-ip attribute of the rootdn_access plugin causes the server to fail to start:

~~~~
ERR - rootdn-access-control-plugin - rootdn_load_config - IP address contains invalid characters (127.*), skipping
ERR - rootdn-access-control-plugin - rootdn_init - Unable to load plug-in configuration
ERR - plugin_setup - Init function "rootdn_init" for "RootDN Access Control" plugin in library "librootdn-access-plugin" failed
ERR - load_plugin_entry - Unable to load plugin "cn=RootDN Access Control,cn=plugins,cn=config"
~~~~

The use of wildcards is [documented](https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/configuration_command_and_file_reference/rootdn_plug_in_attributes#rootdn-allow-ip) and was allowed when the plugin was originally added, but the changes in #48027 unintentionally broke the parsing of values containing a `*`.
Comment 5 Viktor Ashirov 2020-04-29 12:12:44 UTC 
============================================================================ test session starts ============================================================================
platform linux -- Python 3.6.8, pytest-5.4.1, py-1.8.1, pluggy-0.13.1 -- /usr/bin/python3
cachedir: .pytest_cache
389-ds-base: 1.3.10.2-2.el7
nss: 3.44.0-5.el7
nspr: 4.21.0-1.el7
openldap: 2.4.44-21.el7_6
cyrus-sasl: 2.1.26-23.el7
FIPS: disabled
rootdir: /workspace/ds/dirsrvtests, inifile: pytest.ini
collected 9 items

dirsrvtests/tests/suites/plugins/rootdn_plugin_test.py::test_rootdn_access_specific_time PASSED                                                                       [ 11%]
dirsrvtests/tests/suites/plugins/rootdn_plugin_test.py::test_rootdn_access_day_of_week PASSED                                                                         [ 22%]
dirsrvtests/tests/suites/plugins/rootdn_plugin_test.py::test_rootdn_access_denied_ip PASSED                                                                           [ 33%]
dirsrvtests/tests/suites/plugins/rootdn_plugin_test.py::test_rootdn_access_denied_host PASSED                                                                         [ 44%]
dirsrvtests/tests/suites/plugins/rootdn_plugin_test.py::test_rootdn_access_allowed_ip PASSED                                                                          [ 55%]
dirsrvtests/tests/suites/plugins/rootdn_plugin_test.py::test_rootdn_access_allowed_host PASSED                                                                        [ 66%]
dirsrvtests/tests/suites/plugins/rootdn_plugin_test.py::test_rootdn_config_validate PASSED                                                                            [ 77%]
dirsrvtests/tests/suites/plugins/rootdn_plugin_test.py::test_rootdn_access_denied_ip_wildcard PASSED                                                                  [ 88%]
dirsrvtests/tests/suites/plugins/rootdn_plugin_test.py::test_rootdn_access_allowed_ip_wildcard PASSED                                                                 [100%]

============================================================================ 9 passed in 12.54s =============================================================================

Marking as VERIFIED
Comment 9 errata-xmlrpc 2020-09-29 19:46:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (389-ds-base bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3894