Bug 1807537 - wildcards in rootdn-allow-ip attribute are not accepted
Summary: wildcards in rootdn-allow-ip attribute are not accepted
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: mreynolds
QA Contact: RHDS QE
Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-02-26 15:08 UTC by mreynolds
Modified: 2020-09-29 19:48 UTC (History)
5 users (show)

Fixed In Version: 389-ds-base-1.3.10.2-2.el7
Doc Type: Bug Fix
Doc Text:
.Directory Server no longer rejects wildcards in the `rootdn-allow-ip` and `rootdn-deny-ip` parameters Previously, when an administrator tried to set a wildcard in the `rootdn-allow-ip` or `rootdn-deny-ip` parameters in the `cn=RootDN Access Control Plugin,cn=plugins,cn=config` entry, Directory Server rejected the value. With this update, you can use wildcards when specifying allowed or denied IP addresses in the mentioned parameters.
Clone Of:
Environment:
Last Closed: 2020-09-29 19:46:56 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 3854 0 None closed wildcards in rootdn-allow-ip attribute are not accepted 2020-10-01 19:43:40 UTC
Red Hat Product Errata RHBA-2020:3894 0 None None None 2020-09-29 19:48:24 UTC

Description mreynolds 2020-02-26 15:08:59 UTC
This bug is created as a clone of upstream ticket:
https://pagure.io/389-ds-base/issue/50800

#### Issue Description
Attempting to use a wildcard in the rootdn-allow-ip attribute of the rootdn_access plugin causes the server to fail to start:

~~~~
ERR - rootdn-access-control-plugin - rootdn_load_config - IP address contains invalid characters (127.*), skipping
ERR - rootdn-access-control-plugin - rootdn_init - Unable to load plug-in configuration
ERR - plugin_setup - Init function "rootdn_init" for "RootDN Access Control" plugin in library "librootdn-access-plugin" failed
ERR - load_plugin_entry - Unable to load plugin "cn=RootDN Access Control,cn=plugins,cn=config"
~~~~

The use of wildcards is [documented](https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/configuration_command_and_file_reference/rootdn_plug_in_attributes#rootdn-allow-ip) and was allowed when the plugin was originally added, but the changes in #48027 unintentionally broke the parsing of values containing a `*`.

Comment 5 Viktor Ashirov 2020-04-29 12:12:44 UTC
============================================================================ test session starts ============================================================================
platform linux -- Python 3.6.8, pytest-5.4.1, py-1.8.1, pluggy-0.13.1 -- /usr/bin/python3
cachedir: .pytest_cache
389-ds-base: 1.3.10.2-2.el7
nss: 3.44.0-5.el7
nspr: 4.21.0-1.el7
openldap: 2.4.44-21.el7_6
cyrus-sasl: 2.1.26-23.el7
FIPS: disabled
rootdir: /workspace/ds/dirsrvtests, inifile: pytest.ini
collected 9 items

dirsrvtests/tests/suites/plugins/rootdn_plugin_test.py::test_rootdn_access_specific_time PASSED                                                                       [ 11%]
dirsrvtests/tests/suites/plugins/rootdn_plugin_test.py::test_rootdn_access_day_of_week PASSED                                                                         [ 22%]
dirsrvtests/tests/suites/plugins/rootdn_plugin_test.py::test_rootdn_access_denied_ip PASSED                                                                           [ 33%]
dirsrvtests/tests/suites/plugins/rootdn_plugin_test.py::test_rootdn_access_denied_host PASSED                                                                         [ 44%]
dirsrvtests/tests/suites/plugins/rootdn_plugin_test.py::test_rootdn_access_allowed_ip PASSED                                                                          [ 55%]
dirsrvtests/tests/suites/plugins/rootdn_plugin_test.py::test_rootdn_access_allowed_host PASSED                                                                        [ 66%]
dirsrvtests/tests/suites/plugins/rootdn_plugin_test.py::test_rootdn_config_validate PASSED                                                                            [ 77%]
dirsrvtests/tests/suites/plugins/rootdn_plugin_test.py::test_rootdn_access_denied_ip_wildcard PASSED                                                                  [ 88%]
dirsrvtests/tests/suites/plugins/rootdn_plugin_test.py::test_rootdn_access_allowed_ip_wildcard PASSED                                                                 [100%]

============================================================================ 9 passed in 12.54s =============================================================================

Marking as VERIFIED

Comment 9 errata-xmlrpc 2020-09-29 19:46:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (389-ds-base bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3894


Note You need to log in before you can comment on or make changes to this bug.