1387519 – ACl DNS host filter in Console accept IPv4 and IPv6

Bug 1387519 - ACl DNS host filter in Console accept IPv4 and IPv6

Summary: ACl DNS host filter in Console accept IPv4 and IPv6

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Directory Server
Classification:	Red Hat
Component:	Directory Console
Sub Component:
Version:	10.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	mreynolds
QA Contact:	Viktor Ashirov
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-10-21 07:34 UTC by Kamlesh
Modified:	2019-08-26 08:28 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-08-26 08:28:03 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Kamlesh 2016-10-21 07:34:16 UTC

Description of problem:
while setting the ACI Host filter it accept the IPv4 and IPv6 and aci work properly. 
 My finding 

1) set the Access permission in the host tab select DNS host filter use the hostname it show correct result 

(targetattr = "telephoneNumber") (target = "ldap:///ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com") (version 3.0;acl "test";deny (all)(userdn = "ldap:///cn=test,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" or userdn = "ldap:///cn=test1,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" or userdn = "ldap:///cn=test2,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" or userdn = "ldap:///cn=test3,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" or userdn = "ldap:///uid=test4,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com") and (dns="qe-blade-01.idmqe.lab.eng.bos.redhat.com");)
ldapsearch result

[root@qe-blade-01 ~]# ldapsearch -D "cn=test3,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" -h qe-blade-01.idmqe.lab.eng.bos.redhat.com -p 389 -w test1234 -b "ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" cn telephonenumber -x -LLL 
dn: ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com

dn: cn=test,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
cn: test

dn: cn=test1,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
cn: test1

dn: cn=test2,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
cn: test2

dn: cn=test3,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
cn: test3

dn: uid=test4,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
cn: test4

--------------------------------------------------------------------------
2) set the Access permission in the host tab select DNS host filter use the IPv4 it set the access control

(targetattr = "telephoneNumber") (target = "ldap:///ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com") (version 3.0;acl "test";deny (all)(userdn = "ldap:///cn=test,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" or userdn = "ldap:///cn=test1,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" or userdn = "ldap:///cn=test2,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" or userdn = "ldap:///cn=test3,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" or userdn = "ldap:///uid=test4,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com") and (dns="10.19.34.71");)

Search result
[root@qe-blade-01 ~]# ldapsearch -D "cn=test3,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" -h qe-blade-01.idmqe.lab.eng.bos.redhat.com -p 389 -w test1234 -b "ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" cn telephonenumber -x -LLL 
dn: ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com

dn: cn=test,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
cn: test

dn: cn=test1,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
cn: test1

dn: cn=test2,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
cn: test2

dn: cn=test3,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
cn: test3

dn: uid=test4,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
cn: test4
--------------------------------------------------------------------------------
3) set the Access permission in the host tab select DNS host filter use the IPv6 it set the access control

(targetattr = "telephoneNumber") (target = "ldap:///ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com") (version 3.0;acl "Test";deny (all)(userdn = "ldap:///cn=test,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" or userdn = "ldap:///cn=test1,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" or userdn = "ldap:///cn=test2,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" or userdn = "ldap:///cn=test3,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" or userdn = "ldap:///uid=test4,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com") and (dns="2620:52:0:1322:221:5eff:fe20:316a");)
ldapsearch result

[root@qe-blade-01 ~]# ldapsearch -D "cn=test3,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" -h qe-blade-01.idmqe.lab.eng.bos.redhat.com -p 389 -w test1234 -b "ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com" cn telephonenumber -x -LLL 
dn: ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com

dn: cn=test,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
cn: test

dn: cn=test1,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
cn: test1

dn: cn=test2,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
cn: test2

dn: cn=test3,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
cn: test3

dn: uid=test4,ou=People,dc=idmqe,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
cn: test4




Version-Release number of selected component (if applicable):
389-admin-console-doc-1.1.12-2.el7dsrv.noarch
389-adminutil-devel-1.1.23-2.el7dsrv.x86_64
redhat-idm-console-10.1.0-2.el7dsrv.x86_64
389-adminutil-1.1.23-2.el7dsrv.x86_64
389-ds-base-1.3.5.10-11.el7.x86_64
389-ds-console-1.2.15-1.el7dsrv.noarch
389-ds-console-doc-1.2.15-1.el7dsrv.noarch
redhat-idm-console-debuginfo-10.1.0-2.el7dsrv.x86_64
389-console-1.1.18-2.el7dsrv.noarch
389-admin-console-1.1.12-2.el7dsrv.noarch
389-admin-debuginfo-1.1.45-2.el7dsrv.x86_64
idm-console-framework-1.1.17-1.el7dsrv.noarch
389-ds-base-libs-1.3.5.10-11.el7.x86_64
389-admin-1.1.45-2.el7dsrv.x86_64


How reproducible:
Always

Steps to Reproduce:
1. In DS Console go to Directory tab; set access permission
2. Create new ACI
3. In Host tab Add entry in DNS host filter add Ipv4 IPv6


Additional info:
If we add the host name in IP address host filter it show deny attribute

Comment 1 Noriko Hosoi 2016-10-21 17:48:45 UTC

Reading the source code, only FQDN is supported for DNS.

/*    LASDnsMatch
 *    Given an array of fully-qualified dns names, tries to match them 
 *    against a given hash table.

Unfortunately, the doc does not mention it clearly, but it says "name" not "address".
13.1. Access Control Principles
For a specific location such as an IP address or a DNS name. 

I'd think this is an RFE not a defect.

And the product/component is RHEL/389-ds-base.

The priority is low.

Comment 2 Noriko Hosoi 2016-10-21 17:56:41 UTC

Ah, sorry, Kamlesh.  You meant the other way?

Since the server ACL does not support IPv6 addr, Console should reject it?

If so, I agree it should.  But again it's not a regression and not urgent...

Set it to RHDS 10.2.

Note You need to log in before you can comment on or make changes to this bug.