[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]

access control problem (was Re: conserver-8.0.5 is available)

Bryan Stansell bryan@conserver.com
Sat, 1 Nov 2003 05:38:17 -0800 (PST)

On Fri, Oct 31, 2003 at 06:14:01PM -0500, Michael Dolan wrote:
> Recently upgraded to 8.0.4 (and now 8.0.5) from 7.2.7 and cannot get
> acls for host access control to work properly. Configured with
> --with-trustrevdns and specifying the domain names in conserver.cf,
> but only get error (and refused connections). FQDN and IPaddrs work
> fine. The conserver host can reverse lookup the FQDN properly.

well, sounds like you're doing the right thing.  --with-trustrevdns
is necessary for it to work at all.  if you run in debug mode and grep
out all the messages with AccType, we'd be able to see what it's doing
and why it isn't allowing the connection (a bit better).

i do realize there's a problem with the logic used, and maybe that's the
issue.  if you have a 'rejected' acl, that happen to match, after the
domain acl, the reject acl will be processed before the domain acl and
you'd get rejected.  things need to be adjusted so that all acls are
processed in order - i goofed and didn't realize the impact when
removing the reverse dns trust bits and then adding them back.

but, the debug info would tell us what's going on.