Bug 985443

Summary: openconnect-5.01 XML POST doesn't send specified group correctly
Product: [Fedora] Fedora Reporter: Joshua Roys <roysjosh>
Component: openconnectAssignee: David Woodhouse <dwmw2>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: dwmw2
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-08 16:20:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joshua Roys 2013-07-17 13:45:03 UTC 
Description of problem:
After upgrading to F19, my openconnect VPN doesn't allow access to certain resources.  Issue was traced to my client being issued an IP address from the default group.  After reading the man page, adding --no-xmlpost to the command restores expected behavior.


Version-Release number of selected component (if applicable):
openconnect-5.01


How reproducible:
openconnect -v -v -v --authgroup ORG-UNIT -u uid --no-cert-check vpn1.example.com
[...]
X-CSTP-Address: 10.43.100.99
[...]

openconnect -v -v -v --authgroup ORG-UNIT -u uid --no-cert-check --no-xmlpost vpn1.example.com
[...]
X-CSTP-Address: 10.43.16.157
[...]


Actual results:
Incorrect IP address assignment resulting from incorrect/missing group sent in new XML POST.


Expected results:
Correct IP address.
Comment 1 David Woodhouse 2014-07-08 16:19:30 UTC 
This should be worked around in 5.02 (in Fedora 20) and properly fixed in the 6.00 release (rawhide, coming to 20 soon).

Are you still on Fedora 19, or are you able to test with F20?

I'll push out an update for Fedora 19 too.
Comment 2 David Woodhouse 2014-07-09 07:09:29 UTC 
Oh, pushing the update to F19/F20 is non-trivial since it involves an ABI change in the libopenconnect library... which the KDE authentication tool isn't yet fully prepared to cope with.

If you can confirm that OpenConnect v6.00 works correctly, I'll try to work out the upgrade process.

Thanks.