[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ITS #7161, ppolicy pwdFailureTime resolution should be better than 1 second
- To: Howard Chu <hyc@symas.com>
- Subject: Re: ITS #7161, ppolicy pwdFailureTime resolution should be better than 1 second
- From: "Paul B. Henson" <henson@acm.org>
- Date: Fri, 30 May 2014 17:09:18 -0700
- Cc: openldap-technical@openldap.org
- Content-disposition: inline
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=lZQkEJ6fOj9XzDTLRn2XmeNcfHAaQZiOWVJQpKHCAlo=; b=wRMMIcyuTq5ttnWAU3aNgC+9gQAPCFxRgB7e/F1C37jcjjRE7jNz85igfa20b7Kjce mgLeoM6h9fZmwzQrfzSD7oLanAgPCDNlz8CfdLibCuLNcfMFsIxH/8fYlhjrBolddWzK 9ly9HK8As+F7QcnVNzlLzuZQUC9tX2hUWcC0ha2sRroX4oS7QRbJ9FfZ60ZcWhlRUz49 QMgTRH5K2vY3KgOgBXL0x82Nj4wxgwHcchGDAhtwVWfths0OwgIlEy84fOg0mb5ocjR3 D1HZ2Fa0jlczscmDP9eVevs+XQW58j1ajKvx0LGkLWuWiRDLrkg2kCjc7/J93Ha/mrLj mJfA==
- In-reply-to: <53801726.6090309@symas.com>
- References: <20140523232454.GU1367@bender.unx.csupomona.edu> <537FE80E.9070808@symas.com> <03de01cf76f6$5b55dd60$12019820$@acm.org> <53801726.6090309@symas.com>
- User-agent: Mutt/1.5.23 (2014-03-12)
On Fri, May 23, 2014 at 08:51:02PM -0700, Howard Chu wrote:
> You need to actually use microseconds, since the time-increment is
> only unique on the local server and will not guarantee uniqueness in a
> replication scenario.
Attached is an updated patch for this ITS which uses microseconds rather
than the time-increment, maintains the semantics of "now" being when the
code is called rather than when the operation began, and copies the
first timestamp to create a second with microseconds rather than
redundantly calling slapd_timestamp.
Let me know if there's anything else that needs to be fixed or changed.
Thanks...
>From 4db8660f6616a70a67feba1e07ee6f866014b1d2 Mon Sep 17 00:00:00 2001
From: "Paul B. Henson" <henson@acm.org>
Date: Fri, 30 May 2014 16:47:34 -0700
Subject: [PATCH] ITS#7161 ppolicy pwdFailureTime resolution should be better
than 1 second
---
servers/slapd/overlays/ppolicy.c | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
index 83aa099..f8b7335 100644
--- a/servers/slapd/overlays/ppolicy.c
+++ b/servers/slapd/overlays/ppolicy.c
@@ -911,8 +911,11 @@ ppolicy_bind_response( Operation *op, SlapReply *rs )
int ngut = -1, warn = -1, age, rc;
Attribute *a;
time_t now, pwtime = (time_t)-1;
+ struct lutil_tm now_tm;
+ struct lutil_timet now_usec;
char nowstr[ LDAP_LUTIL_GENTIME_BUFSIZE ];
- struct berval timestamp;
+ char nowstr_usec[ LDAP_LUTIL_GENTIME_BUFSIZE+8 ];
+ struct berval timestamp, timestamp_usec;
BackendInfo *bi = op->o_bd->bd_info;
Entry *e;
@@ -929,11 +932,20 @@ ppolicy_bind_response( Operation *op, SlapReply *rs )
return SLAP_CB_CONTINUE;
}
- now = slap_get_time(); /* stored for later consideration */
+ ldap_pvt_gettime(&now_tm); /* stored for later consideration */
+ lutil_tm2time(&now_tm, &now_usec);
+ now = now_usec.tt_sec;
timestamp.bv_val = nowstr;
timestamp.bv_len = sizeof(nowstr);
slap_timestamp( &now, ×tamp );
+ /* Separate timestamp for pwdFailureTime with microsecond granularity */
+ strcpy(nowstr_usec, nowstr);
+ timestamp_usec.bv_val = nowstr_usec;
+ timestamp_usec.bv_len = timestamp.bv_len;
+ snprintf( timestamp_usec.bv_val + timestamp_usec.bv_len-1, sizeof(".123456Z"), ".%06dZ", now_usec.tt_usec );
+ timestamp_usec.bv_len += STRLENOF(".123456");
+
if ( rs->sr_err == LDAP_INVALID_CREDENTIALS ) {
int i = 0, fc = 0;
@@ -946,8 +958,8 @@ ppolicy_bind_response( Operation *op, SlapReply *rs )
m->sml_values = ch_calloc( sizeof(struct berval), 2 );
m->sml_nvalues = ch_calloc( sizeof(struct berval), 2 );
- ber_dupbv( &m->sml_values[0], ×tamp );
- ber_dupbv( &m->sml_nvalues[0], ×tamp );
+ ber_dupbv( &m->sml_values[0], ×tamp_usec );
+ ber_dupbv( &m->sml_nvalues[0], ×tamp_usec );
m->sml_next = mod;
mod = m;
--
1.8.3.2