On Sat, 20 Sep 2014 00:25:34 +0200
thierry bordaz <tbor...@redhat.com> wrote:

> Hello Nathaniel,
> 
>     sanitize_input translates MOD/REPLACE into MOD/DEL+MOD/ADD. It
> looks good but difficult to think to all possible cases.
>     I think to the following corner case:
>     The initial entry has ipatokenHOTPcounter=5
>     ldapmodify..
>     changetype: modify
>     add: ipatokenHOTPcounter
>     ipatokenHOTPcounter: 6
>     -
>     replace: ipatokenHOTPcounter
>     ipatokenHOTPcounter: 7
> 
>     It translates
>     add: 6
>     del: 5
>     add: 7
> 
>     This operation will fail because ipatokenHOTPcounter is
>     single-valued although IMHO it should succeed.
>     This is a so special operation that is may not really be a
> concern.
> 
>     It is important that attribute are single valued. The replication
>     changelog will replicated MOD/DEL + MOD/ADD for a MOD/REPL.
>     That means that if the attributes are updated on several masters,
>     the number of values can likely increase. Where for single value
> it should only keep the most recent value.

Hi thierry, this behavior is actually intentional, and we want to fail
the operation if someone else updates the counter because it means a
replay attack has happened.

We will not replicate the counters via normal replication, because it
would be too much traffic anyway, we have drafted a plan to use a
special plugin to handle multi-master updates specific for OTPs and
their requirements.
See:
http://www.freeipa.org/page/V4/OTP_Replay_Prevention#Replication_Counter_Race


Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to