[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6545) delta-syncrepl rejects modification master accepted

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6545) delta-syncrepl rejects modification master accepted
From: ondra@mistotebe.net
Date: Thu, 06 Apr 2017 15:26:34 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

On Thu, Apr 06, 2017 at 05:14:15PM +0200, Michael StrÃ¶der wrote:
> ondra@mistotebe.net wrote:
>> On Wed, Apr 05, 2017 at 04:14:12PM +0200, Michael StrÄ?Å?der wrote:
>>> => There could be a slapd per-backend configuation directive to disallow it with a
>>> strong hint in the docs recommending to disallow it when using delta-syncrepl.
>>>
>>> Suggestion:
>>> disallow mod_attr_repeated
>> 
>> In my view, that's more pain than it's worth.
> 
> Hmm, I think slapd should be able to disallow a crazy modify request like this:
> 
> dn: cn=foobar,dc=example,dc=com
> changetype: modify
> replace: description
> description: foobar1
> -
> replace: description
> description: foobar2
> -
> ..
> replace: description
> description: foobar1000
> -

Well, the clients are allowed to request a lot of strange things, some
of which border on a DoS: e.g. right now slapd can't disallow a modify
request like:

dn: cn=foobar,dc=example,dc=com
changetype: modify
replace: description
description: foobar1
description: foobar2
...
description: foobar1000

So there. If we can agree on a way to handle that, we might see whether
it could be repurposed.

I should have a patch for the accesslog issue soon.

-- 
OndÅ?ej KuznÃk
Senior Software Engineer
Symas Corporation                       http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP

Prev by Date: Re: (ITS#6545) delta-syncrepl rejects modification master accepted
Next by Date: Re: (ITS#6545) delta-syncrepl rejects modification master accepted
Index(es):
- Chronological
- Thread