On Sat, 20 Sep 2014 00:25:34 +0200 thierry bordaz <tbor...@redhat.com> wrote:
> Hello Nathaniel, > > sanitize_input translates MOD/REPLACE into MOD/DEL+MOD/ADD. It > looks good but difficult to think to all possible cases. > I think to the following corner case: > The initial entry has ipatokenHOTPcounter=5 > ldapmodify.. > changetype: modify > add: ipatokenHOTPcounter > ipatokenHOTPcounter: 6 > - > replace: ipatokenHOTPcounter > ipatokenHOTPcounter: 7 > > It translates > add: 6 > del: 5 > add: 7 > > This operation will fail because ipatokenHOTPcounter is > single-valued although IMHO it should succeed. > This is a so special operation that is may not really be a > concern. > > It is important that attribute are single valued. The replication > changelog will replicated MOD/DEL + MOD/ADD for a MOD/REPL. > That means that if the attributes are updated on several masters, > the number of values can likely increase. Where for single value > it should only keep the most recent value. Hi thierry, this behavior is actually intentional, and we want to fail the operation if someone else updates the counter because it means a replay attack has happened. We will not replicate the counters via normal replication, because it would be too much traffic anyway, we have drafted a plan to use a special plugin to handle multi-master updates specific for OTPs and their requirements. See: http://www.freeipa.org/page/V4/OTP_Replay_Prevention#Replication_Counter_Race Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
