Hello.
Version: CDS 8.2 i386
Setup: User authentication using Host Access Permissions.
Issue:
When a client has multiple hostnames in DNS the LDAP gets confused because nslookup returns multiple DNS entries for the same client IP. These entries rotate in the output of nslookup, thus causing logins to be denied. Should LDAP scrape the nslookup output for the hostname?
ReCreate:
From the Console add a user and enable Posix user Attributes. Right click on the new user and select "Set Access Permissions...". Create new entry and under the "Hosts" tab Add the "DNS host filter:"
*Make sure the host has multiple entries in DNS and that they rotate when doing an nslookup on the IP.
Moving this to the 1.3.0.a1 milestone. It would be nice to add support for IPv6 addresses in ACI's at the same time since we'll be in the same area of code.
set default ticket origin to Community
Added initial screened field value.
Bug description: DNS keyword in ACI only accepted an FQDN returned from gethostbyaddr. If an alias hostname was set in an ACI, a request sent from the host was treated as the one from the primary hostname and it failed to get the expected access rights.
Fix description: This patch is turning a keyword "dnsalias" public. In addition to the primary hostname, by setting the secondary host- names as dnsalias, clients requests would obtain the expected access rights. When an IP address is associated with multiple hostnames (primary: hostA, aliases: hostB and hostC), they could be listed, for instance, in an aci as follows: {{{ aci: (targetattr = "*") (version 3.0;acl "dnsalias example";allow (all) dns="hostA.example.com" or dnsalias="hostB.example.com" or dnslias= "hostC.example.com";) }}}
git patch file (master) 0001-Trac-Ticket-311-IP-lookup-failing-with-multiple-DNS-.patch
Do we really need a new aci keyword? Can't we just use the existing "dns" to mean "dns fqdn and any aliases"?
Thanks for your comments, Rich and Ludwig!
Actually, dnsalias is not a new keyword. It's been implemented in lib/libaccess/lasdns.cpp for a long time. I'm just proposing to use it (and replacing the obsolete NSPR API (PR_GetHostByAddr) with the new one (PR_GetAddrInfoByName).
The difference between "dns" and "dnsalias" is if the FQDN specified as dns is not found in the DNS hashtable, it fails there. If it is dnsalias, it's converted to IP address then converted back to the primary FQDN, then look up in the hash table. The process could be slow if just to find out it's not in the hash table...
By setting 1 to aliasflg for "dns", it enables the dns hostname fallback to the alias hostname. {{{ - if (strcmp(attr_name, "dns") == 0) - aliasflg = 0; - else if (strcmp(attr_name, "dnsalias") == 0) - aliasflg = 1; - else { - nserrGenerate(errp, ACLERRINVAL, ACLERR4800, ACL_Program, 2, XP_GetAdmin - return LAS_EVAL_INVALID; + if (strcmp(attr_name, "dns") == 0) { + / Enable aliasflg for "dns", which allows "dns" hostname to look up + * DSN hash table using the primary hostname. / + aliasflg = 1; + } else if (strcmp(attr_name, "dnsalias") == 0) { + aliasflg = 1; + } else { + nserrGenerate(errp, ACLERRINVAL, ACLERR4800, ACL_Program, 2, XP_GetAdmi + return LAS_EVAL_INVALID; } }}} I'm adding a new patch next...
git patch file (master) - take 2 0001-Trac-Ticket-311-IP-lookup-failing-with-multiple-DNS.patch
Reviewed by Rich (Thank you!!)
Pushed to master.
commit 8a9684f
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=918697
Metadata Update from @nkinder: - Issue assigned to nhosoi - Issue set to the milestone: 1.3.0.rc1
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/311
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.