681 – Fix for problems with IPv6 and ACLs

Issue 681 - Fix for problems with IPv6 and ACLs

Summary: Fix for problems with IPv6 and ACLs

Status:	VERIFIED FIXED

Alias:	None

Product:	OpenLDAP
Classification:	Unclassified
Component:	slapd (show other issues)
Version:	unspecified
Hardware:	All All

Importance:	--- normal
Target Milestone:	---
Assignee:	OpenLDAP project

URL:
Keywords:

Depends on:
Blocks:

Reported:	2000-08-24 11:01 UTC by venaas@openldap.org
Modified:	2014-08-01 21:05 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description venaas@openldap.org 2000-08-24 11:01:07 UTC

Full_Name: Stig Venaas
Version: openldap-2.0-gamma
OS: Linux
URL: http://www.venaas.priv.no/ipv6/openldap-2.0-gamma-daemon.c.diff
Submission from: (NULL) (158.38.60.92)


There is a problem with IPv6 and ACLs. Let me try to explain.
On an IPv6 enabled box, OpenLDAP will listen on an INET6 socket
that also receives IPv4 connections. The IPv4 address of the
peer is written as a so called IPv4-mapped IPv6 address. If the
address of the host is say 1.2.3.4, the result of inet_ntop will
be ::ffff:1.2.3.4.

Since people will have ACLs that check for peername and expect
IP=1.2.3.4 rather than IP=::ffff:1.2.3.4 this is a potential
security risk. The admin should perhaps know whether the host
supports IPv6 or not, but still....

With this patch the peername that is checked for will be
IP=1.2.3.4 regardless of IPv4 or IPv6 sockets.

Does anyone see problems with this or other issues with ACLs?
I think this should go into 2.0 before it is released.

Stig

Comment 1 Kurt Zeilenga 2000-08-24 14:13:50 UTC

changed notes
changed state Open to Feedback
moved from Incoming to Development

Comment 2 Kurt Zeilenga 2000-09-01 11:55:12 UTC

changed state Feedback to Closed

Comment 3 OpenLDAP project 2014-08-01 21:05:27 UTC

applied to devel