[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL OTP and syncrepl

To: "Kurt Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: SASL OTP and syncrepl
From: masarati@aero.polimi.it
Date: Sun, 21 Feb 2010 10:56:16 +0100 (CET)
Cc: Emmanuel Dreyfus <manu@netbsd.org>, openldap-devel@OpenLDAP.org
Importance: Normal
In-reply-to: <5F8ADF62-BA97-4F54-833D-3F67216F6A10@OpenLDAP.org>
References: <1je6non.38wml4lwttz7M%manu@netbsd.org> <5F8ADF62-BA97-4F54-833D-3F67216F6A10@OpenLDAP.org>
User-agent: SquirrelMail/1.4.15

> IMO, OTP is inherently incompatible with replicas because a client can
> authenticate to each replica with what is intended to be a one time
> password.  The only way to preclude this is, as was basically suggested,
> is to chain it to the master such that each password can only be used one
> time.

I have an "easy" fix in this direction; however, I stumbled into another
issue: if slapo-chain(5) gets involved in an internal operation, it does
not honor custom callbacks registered for the internal operation, and
rather attempts to return the result to the caller.  As a consequence, I
need to address this issue first, before solving the original one.

p.

References:
- Re: SASL OTP and syncrepl
  - From: manu@netbsd.org (Emmanuel Dreyfus)
- Re: SASL OTP and syncrepl
  - From: Kurt Zeilenga <Kurt@OpenLDAP.org>

Prev by Date: Re: SASL OTP and syncrepl
Next by Date: back-config delete support (syncprov overlay)
Index(es):
- Chronological
- Thread