[Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin
Nathaniel McCallum
npmccallum at redhat.com
Sat Sep 20 19:40:27 UTC 2014
On Fri, 2014-09-19 at 18:46 -0400, Simo Sorce wrote:
> On Sat, 20 Sep 2014 00:25:34 +0200
> thierry bordaz <tbordaz at redhat.com> wrote:
>
> > Hello Nathaniel,
> >
> > sanitize_input translates MOD/REPLACE into MOD/DEL+MOD/ADD. It
> > looks good but difficult to think to all possible cases.
> > I think to the following corner case:
> > The initial entry has ipatokenHOTPcounter=5
> > ldapmodify..
> > changetype: modify
> > add: ipatokenHOTPcounter
> > ipatokenHOTPcounter: 6
> > -
> > replace: ipatokenHOTPcounter
> > ipatokenHOTPcounter: 7
> >
> > It translates
> > add: 6
> > del: 5
> > add: 7
> >
> > This operation will fail because ipatokenHOTPcounter is
> > single-valued although IMHO it should succeed.
> > This is a so special operation that is may not really be a
> > concern.
> >
> > It is important that attribute are single valued. The replication
> > changelog will replicated MOD/DEL + MOD/ADD for a MOD/REPL.
> > That means that if the attributes are updated on several masters,
> > the number of values can likely increase. Where for single value
> > it should only keep the most recent value.
>
> Hi thierry, this behavior is actually intentional, and we want to fail
> the operation if someone else updates the counter because it means a
> replay attack has happened.
+1
> We will not replicate the counters via normal replication, because it
> would be too much traffic anyway, we have drafted a plan to use a
> special plugin to handle multi-master updates specific for OTPs and
> their requirements.
> See:
> http://www.freeipa.org/page/V4/OTP_Replay_Prevention#Replication_Counter_Race
This is a short-term concern since in the meantime we will be using
replication.
Nathaniel
More information about the Freeipa-devel
mailing list