[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Distributed ppolicy state

To: "Brett @Google" <brett.maxfield@gmail.com>
Subject: Re: Distributed ppolicy state
From: Howard Chu <hyc@symas.com>
Date: Fri, 23 Oct 2009 14:15:40 -0700
Cc: openldap-devel@openldap.org
In-reply-to: <e021c7c00910220734r66d8294k5130d205274eb2f2@mail.gmail.com>
References: <4AE00D64.7030709@symas.com> <e021c7c00910220734r66d8294k5130d205274eb2f2@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9.1.5pre) Gecko/20091012 SeaMonkey/2.0a1pre Firefox/3.0.3

Brett @Google wrote:

On Thu, Oct 22, 2009 at 5:44 PM, Howard Chu <hyc@symas.com
<mailto:hyc@symas.com>> wrote:

    In the case of a local, load-balanced cluster of replicas, where the
    network latency between DSAs is very low, the natural coalescing of
    updates may not occur as often. Still, it would be better if the
    updates didn't happen at all. And in such an environment, where the
    DSAs are so close together that latency is low, distributing reads
    is still cheaper than distributing writes. So, the correct way to
    implement this global state is to keep it distributed separately
    during writes, and collect it during reads.


I'd think that to indicate the topology you would create some
administrative name, perhaps a simple string "sales west" or "cluster
one" to indicate a topological region, and you would specify for each
DSA which administrative name or topology it is logically part of. Then
this administrative region name + unique identifier of the principal in
question, could be used as a key to hold a simple locked / unlocked
boolean value on the replica's parent.

I'm not sure you're trying to solve the right problem yet. I'm prettyunconvinced that account lockout is a good solution to anything, in general.That's why I added login rate control to the latest ppolicy draft, where theDSA simply starts inserting delays before responding to failed authc attempts.As I see it, rate control can be managed completely within a single DSA and nostate ever needs to be replicated outward on any particular schedule. But atthe moment I haven't yet thought about how well this will work in all thepossible deployment scenarios.

So once again, what's important here is to analyze what are the types ofattacks we expect to see, and how particular defense strategies will behave,and how effectively they will fend off those attacks. Until you've outlinedthe problems, you don't have any framework for designing the solution.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: Distributed ppolicy state
  - From: Volker Lendecke <Volker.Lendecke@SerNet.DE>

References:
- Distributed ppolicy state
  - From: Howard Chu <hyc@symas.com>
- Re: Distributed ppolicy state
  - From: "Brett @Google" <brett.maxfield@gmail.com>

Prev by Date: Re: small project
Next by Date: Re: Distributed ppolicy state
Index(es):
- Chronological
- Thread