[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy and syncrepl aclaration

To: Buchan Milne <bgmilne@staff.telkomsa.net>
Subject: Re: ppolicy and syncrepl aclaration
From: Howard Chu <hyc@symas.com>
Date: Tue, 30 Jun 2009 01:16:35 -0700
Cc: Jordi Espasa Clofent <jespasac@minibofh.org>, openldap-technical@openldap.org
In-reply-to: <200906300942.16459.bgmilne@staff.telkomsa.net>
References: <4A375B8C.6090302@minibofh.org> <200906171435.34229.bgmilne@staff.telkomsa.net> <4A4941C3.2040009@symas.com> <200906300942.16459.bgmilne@staff.telkomsa.net>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; rv:1.9.1b5pre) Gecko/20090611 SeaMonkey/2.0a1pre Firefox/3.0.3

Buchan Milne wrote:

On Tuesday 30 June 2009 00:35:47 Howard Chu wrote:

In my opinion, this feature should be removed from the spec and replaced
with an incremental delay instead.


Removing it will (AFAIK) mean that implementations supporting the spec (alone)
will not be compliant with many IT security policies supporting SAOX. Whether
the policies were written with good understanding, or just by feature sets
available in other software, is irrelevant IMHO.


Fair enough, we leave it in. Yet another victory for stupid checkbox software.

I.e., when any login attempt fails,
start adding delays before processing subsequent attempts from the same
client (or for the same user).

In a widely distributed environment, it makes little sense to replicate a
password failure incident to servers located halfway around the world.


However, at present, this does occur. Password failures and lockout on a
syncrepl provider are replicated to any of its consumers. However, the
password failure incident is not replicated to the providers provider, so if
the account has not been locked out on the ultimate master, it is inconvenient
to unlock the account. Additionally, password failures that were recorded on
consumers are not guaranteed to be cleared ...

As before, the spec doesn't address how to handle this situation, and as faras I can tell it avoids it precisely because it is such a pain to get right,and there really isn't even a clear definition of what "getting it right"looks like. Since password failures can be recorded at any of the serversyou're essentially in a multimaster scenario, with all of the race conditionsand inconsistencies that entails. The only way to avoid it is to force allconsumers to chain all Bind requests to their master. That would again defeatthe purpose of load-balancing authentications.

I guess in the short term we can add an option to have ppolicy perform itsfailure updates through the frontend, instead of calling the backend as itdoes now. That would give the frontend the opportunity to generate anupdate-referral, which the chain overlay could then forward back to the provider.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- ppolicy and syncrepl aclaration
  - From: Jordi Espasa Clofent <jespasac@minibofh.org>
- Re: ppolicy and syncrepl aclaration
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>
- Re: ppolicy and syncrepl aclaration
  - From: Howard Chu <hyc@symas.com>
- Re: ppolicy and syncrepl aclaration
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

Prev by Date: Re: ppolicy and syncrepl aclaration
Next by Date: RE: MirrorMode VS load balancing
Index(es):
- Chronological
- Thread