[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL OTP and syncrepl

To: Emmanuel Dreyfus <manu@netbsd.org>
Subject: Re: SASL OTP and syncrepl
From: Howard Chu <hyc@symas.com>
Date: Wed, 02 Dec 2009 22:46:41 -0800
Cc: openldap-software@openldap.org
In-reply-to: <1ja4rww.114dhvf1u0s145M%manu@netbsd.org>
References: <1ja4rww.114dhvf1u0s145M%manu@netbsd.org>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9.3a1pre) Gecko/20091121 SeaMonkey/2.0a1pre Firefox/3.0.3

Emmanuel Dreyfus wrote:

Hello

When using SASL OTP, the one time password sequence number is stored in
a cmusaslsecretOTP attribute. On every successful authentication, it
should be decreased.

That works fine until used with a syncrepl setup: authenticating to a
replica may cause its local cmusaslsecretOTP, but this change will be
overriden by the value from the master.

As a result, I see sometime the sequence number decreasing just after a
succeeded authentication, but that does not last very long. Soon or
later, the older value is restored.

How is it supposed to work?

Most likely it's not. Since almost nobody uses SASL OTP with OpenLDAP, it'snever gotten much attention.

As far as I understand, there needs to be
some code for the replica to send the update to the master. Is the code
missing, or do I have a configuration problem that prevent it from
working? Or do I hit a bug?


Look into chaining...

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: SASL OTP and syncrepl
  - From: manu@netbsd.org (Emmanuel Dreyfus)

References:
- SASL OTP and syncrepl
  - From: manu@netbsd.org (Emmanuel Dreyfus)

Prev by Date: SASL OTP and syncrepl
Next by Date: Re: SASL OTP and syncrepl
Index(es):
- Chronological
- Thread