On Sat, 20 Sep 2014 00:25:34 +0200
thierry bordaz <tbor...@redhat.com> wrote:
> Hello Nathaniel,
> sanitize_input translates MOD/REPLACE into MOD/DEL+MOD/ADD. It
> looks good but difficult to think to all possible cases.
> I think to the following corner case:
> The initial entry has ipatokenHOTPcounter=5
> changetype: modify
> add: ipatokenHOTPcounter
> ipatokenHOTPcounter: 6
> replace: ipatokenHOTPcounter
> ipatokenHOTPcounter: 7
> It translates
> add: 6
> del: 5
> add: 7
> This operation will fail because ipatokenHOTPcounter is
> single-valued although IMHO it should succeed.
> This is a so special operation that is may not really be a
> It is important that attribute are single valued. The replication
> changelog will replicated MOD/DEL + MOD/ADD for a MOD/REPL.
> That means that if the attributes are updated on several masters,
> the number of values can likely increase. Where for single value
> it should only keep the most recent value.
Hi thierry, this behavior is actually intentional, and we want to fail
the operation if someone else updates the counter because it means a
replay attack has happened.
We will not replicate the counters via normal replication, because it
would be too much traffic anyway, we have drafted a plan to use a
special plugin to handle multi-master updates specific for OTPs and
Simo Sorce * Red Hat, Inc * New York
Freeipa-devel mailing list