[Date Prev][Date Next]
Fix for problems with IPv6 and ACLs (ITS#681)
Full_Name: Stig Venaas
Submission from: (NULL) (220.127.116.11)
There is a problem with IPv6 and ACLs. Let me try to explain.
On an IPv6 enabled box, OpenLDAP will listen on an INET6 socket
that also receives IPv4 connections. The IPv4 address of the
peer is written as a so called IPv4-mapped IPv6 address. If the
address of the host is say 18.104.22.168, the result of inet_ntop will
Since people will have ACLs that check for peername and expect
IP=22.214.171.124 rather than IP=::ffff:126.96.36.199 this is a potential
security risk. The admin should perhaps know whether the host
supports IPv6 or not, but still....
With this patch the peername that is checked for will be
IP=188.8.131.52 regardless of IPv4 or IPv6 sockets.
Does anyone see problems with this or other issues with ACLs?
I think this should go into 2.0 before it is released.