[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#6545) delta-syncrepl rejects modification master accepted
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#6545) delta-syncrepl rejects modification master accepted
- From: hyc@symas.com
- Date: Thu, 06 Apr 2017 15:41:33 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
ondra@mistotebe.net wrote:
> On Thu, Apr 06, 2017 at 05:14:15PM +0200, Michael Str=C3=83=C2=B6der wr=
ote:
>> ondra@mistotebe.net wrote:
>>> On Wed, Apr 05, 2017 at 04:14:12PM +0200, Michael Str=C3=84=E2=80=9A=C3=
=85=E2=80=BAder wrote:
>>>> =3D> There could be a slapd per-backend configuation directive to di=
sallow it with a
>>>> strong hint in the docs recommending to disallow it when using delta=
-syncrepl.
>>>>
>>>> Suggestion:
>>>> disallow mod_attr_repeated
>>>
>>> In my view, that's more pain than it's worth.
>>
>> Hmm, I think slapd should be able to disallow a crazy modify request l=
ike this:
>>
>> dn: cn=3Dfoobar,dc=3Dexample,dc=3Dcom
>> changetype: modify
>> replace: description
>> description: foobar1
>> -
>> replace: description
>> description: foobar2
>> -
>> ..
>> replace: description
>> description: foobar1000
>> -
>
> Well, the clients are allowed to request a lot of strange things, some
> of which border on a DoS: e.g. right now slapd can't disallow a modify
> request like:
Nor should we disallow any such thing. "Be liberal in what you accept."
>
> dn: cn=3Dfoobar,dc=3Dexample,dc=3Dcom
> changetype: modify
> replace: description
> description: foobar1
> description: foobar2
> ...
> description: foobar1000
>
> So there. If we can agree on a way to handle that, we might see whether
> it could be repurposed.
>
> I should have a patch for the accesslog issue soon.
>
--=20
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/