OUD11g - ACI to Deny Access for Both IPv4 and IPv6 Addresses Does Not Work Correctly (Doc ID 2217980.1)

Last updated on JANUARY 30, 2017

Applies to:

Oracle Unified Directory - Version 11.1.2.3.160719 and later
Information in this document applies to any platform.

Symptoms

The following ACI is defined in an attempt to deny access for both IPv4 and IPv6 client addresses.  However, the clients are not denied access and LDAP search results are returned to those clients.

I.E.

aci: (target = "ldap:///dc=example,dc=com")(targetattr = "*")(targetscope = "subtree")(version 3.0; acl "ACI access N1"; allow (read,search,compare)(userdn = "ldap:///dc=example,dc=com??sub?(|(uid=*)(cn=*))" and (ip !="10.188.145.0+255.255.252.0") or (ip !="[2606:b400:c20:3844:20c:29ff:fe68:2393]"));)

In the above example, the following clients exist in the IPv4 and IPv6 network environments.

I.E.

Client1: test1.jp.oracle.com
IPv4 address: 10.188.145.92

Client2: test2.jp.oracle.com
IPv6 address: 2606:b400:c20:3844:20c:29ff:fe68:2393

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms