[Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin
Nathaniel McCallum
npmccallum at redhat.com
Sat Sep 20 19:39:48 UTC 2014
On Sat, 2014-09-20 at 00:25 +0200, thierry bordaz wrote:
> Hello Nathaniel,
>
> sanitize_input translates MOD/REPLACE into MOD/DEL+MOD/ADD. It
> looks good but difficult to think to all possible cases.
> I think to the following corner case:
> The initial entry has ipatokenHOTPcounter=5
> ldapmodify..
> changetype: modify
> add: ipatokenHOTPcounter
> ipatokenHOTPcounter: 6
> -
> replace: ipatokenHOTPcounter
> ipatokenHOTPcounter: 7
>
> It translates
> add: 6
> del: 5
> add: 7
>
> This operation will fail because ipatokenHOTPcounter is
> single-valued although IMHO it should succeed.
No. It should fail. There can only ever be one ipatokenHOTPcounter.
> This is a so special operation that is may not really be a
> concern.
+1
> It is important that attribute are single valued. The
> replication changelog will replicated MOD/DEL + MOD/ADD for a
> MOD/REPL.
> That means that if the attributes are updated on several
> masters, the number of values can likely increase. Where for
> single value it should only keep the most recent value.
That is a concern, at least for now. Eventually we won't use replication
for this at all. But for now, we will.
Here is the problem I foresee. You have two servers: A and B.
The user authenticates on A. This triggers a MOD/DEL(0)+MOD/ADD(1).
Replication is sent to server B.
Before the replication is performed on server B, the user authenticates
with the next token. This triggers a MOD/DEL(0)+MOD/ADD(2). Replication
is sent to server A. This replication will fail because A has a value of
1, not a value of 0.
The end result is that there will be different values for
ipatokenHOTPcounter on the two different servers. A will have 1 and B
will have 2. Once this happens, the replications can never reconcile
(this is a big problem). I see two options here, both theoretical.
Option #1 is to hook 389 in a different place: before the mods are
performed by after the replication changelog is generated.
Alternatively, we could insert a hook after the replication changelog is
generated, but before it is sent. We could consolidate the MOD/DEL
+MOD/ADD here into a single MOD/REPLACE operation.
Option #2 is to have some way to translate the MOD/REPLACE(X) into a
MOD/DEL(<=X)+MOD/ADD(X).
Are either of these possible? Is there another option?
Nathaniel
More information about the Freeipa-devel
mailing list