Full_Name: Stig Venaas Version: openldap-2.0-gamma OS: Linux URL: http://www.venaas.priv.no/ipv6/openldap-2.0-gamma-daemon.c.diff Submission from: (NULL) (158.38.60.92) There is a problem with IPv6 and ACLs. Let me try to explain. On an IPv6 enabled box, OpenLDAP will listen on an INET6 socket that also receives IPv4 connections. The IPv4 address of the peer is written as a so called IPv4-mapped IPv6 address. If the address of the host is say 1.2.3.4, the result of inet_ntop will be ::ffff:1.2.3.4. Since people will have ACLs that check for peername and expect IP=1.2.3.4 rather than IP=::ffff:1.2.3.4 this is a potential security risk. The admin should perhaps know whether the host supports IPv6 or not, but still.... With this patch the peername that is checked for will be IP=1.2.3.4 regardless of IPv4 or IPv6 sockets. Does anyone see problems with this or other issues with ACLs? I think this should go into 2.0 before it is released. Stig
changed notes changed state Open to Feedback moved from Incoming to Development
changed state Feedback to Closed
applied to devel