[Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin
Simo Sorce
simo at redhat.com
Fri Sep 19 22:46:31 UTC 2014
On Sat, 20 Sep 2014 00:25:34 +0200
thierry bordaz <tbordaz at redhat.com> wrote:
> Hello Nathaniel,
>
> sanitize_input translates MOD/REPLACE into MOD/DEL+MOD/ADD. It
> looks good but difficult to think to all possible cases.
> I think to the following corner case:
> The initial entry has ipatokenHOTPcounter=5
> ldapmodify..
> changetype: modify
> add: ipatokenHOTPcounter
> ipatokenHOTPcounter: 6
> -
> replace: ipatokenHOTPcounter
> ipatokenHOTPcounter: 7
>
> It translates
> add: 6
> del: 5
> add: 7
>
> This operation will fail because ipatokenHOTPcounter is
> single-valued although IMHO it should succeed.
> This is a so special operation that is may not really be a
> concern.
>
> It is important that attribute are single valued. The replication
> changelog will replicated MOD/DEL + MOD/ADD for a MOD/REPL.
> That means that if the attributes are updated on several masters,
> the number of values can likely increase. Where for single value
> it should only keep the most recent value.
Hi thierry, this behavior is actually intentional, and we want to fail
the operation if someone else updates the counter because it means a
replay attack has happened.
We will not replicate the counters via normal replication, because it
would be too much traffic anyway, we have drafted a plan to use a
special plugin to handle multi-master updates specific for OTPs and
their requirements.
See:
http://www.freeipa.org/page/V4/OTP_Replay_Prevention#Replication_Counter_Race
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list