[Date Prev][Date Next] [Chronological] [Thread] [Top]

Fix for problems with IPv6 and ACLs (ITS#681)



Full_Name: Stig Venaas
Version: openldap-2.0-gamma
OS: Linux
URL: http://www.venaas.priv.no/ipv6/openldap-2.0-gamma-daemon.c.diff
Submission from: (NULL) (158.38.60.92)


There is a problem with IPv6 and ACLs. Let me try to explain.
On an IPv6 enabled box, OpenLDAP will listen on an INET6 socket
that also receives IPv4 connections. The IPv4 address of the
peer is written as a so called IPv4-mapped IPv6 address. If the
address of the host is say 1.2.3.4, the result of inet_ntop will
be ::ffff:1.2.3.4.

Since people will have ACLs that check for peername and expect
IP=1.2.3.4 rather than IP=::ffff:1.2.3.4 this is a potential
security risk. The admin should perhaps know whether the host
supports IPv6 or not, but still....

With this patch the peername that is checked for will be
IP=1.2.3.4 regardless of IPv4 or IPv6 sockets.

Does anyone see problems with this or other issues with ACLs?
I think this should go into 2.0 before it is released.

Stig