[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Is existing documentation kind of vague?

To: Michael Ströder <michael@stroeder.com>
Subject: Re: Is existing documentation kind of vague?
From: MJ J <mikedotjackson@gmail.com>
Date: Tue, 14 Nov 2017 22:44:46 +0200
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=31PE8YojcDHvBuTpTbaszOF7QknaXOCqZqw1BAG/N0E=; b=GnS/6vuZLNk8hz3l/Ib3Q6iIvpUCCGQROX/SgchmTz3m7q9DqUfaypm+hrWbdCk+1L lanRIz6pxOoxIDOypoDYAviZnkCoSd5XRUkI57zHxQNKFteN0RpheLe9T9ZECBPS7D3g j0iIejiZcsaiFH1jf8xkQGxDzoIyiu0MBknfq+FSuX17e0ZB2QoRRZg8nibIsDSYuXnk prEZdatzo5Ld3uG732hMD9C9fqx+npzkysAGy4sc9HuU7j0f5OtWBytVbdNJT6A7Pbw6 KSG5arKggElRccWpdCV9xD7kUT2VESXVhIOJbjYvVKwRJ4C4Xj0D8pBBXKefoyS12s12 Leyw==
In-reply-to: <64c16f15-293f-717d-12cc-e0b9b73cd9de@stroeder.com>
References: <1510686800.27244.1.camel@hyperbolicinnovation.com> <CANCEyfNNs0CC-KxBV4kS3v3QRLFROKsp4BueMQrhOzxgZ1drwQ@mail.gmail.com> <64c16f15-293f-717d-12cc-e0b9b73cd9de@stroeder.com>

Client apps are not scoped to do subtree searches from the root of the
directory where the autoincrement objects live, nor do the ACLs permit
it, but you knew that already.

Duplicate a race condition using the above code and you shouldn't be
using LDAP in the first place.



On Tue, Nov 14, 2017 at 10:26 PM, Michael Ströder <michael@stroeder.com> wrote:
> MJ J wrote:
>> You don't need a special object class or schema, you can use this:
>> dn: cn=user,ou=increment,dc=foo,dc=bar
>> objectClass: top
>> objectClass: account
>> objectClass: posixAccount
>
> Ouch! Depending on the config of your LDAP server and client systems
> this is a visible user account with username 'user' and *changing* and
> *conflicting* uidNumber. This is bad design. No wonder if you're running
> into problems with nss-pam-ldapd (nslcd) or sssd later.
>
> You have been warned.
>
>> And here is a python method to do the job for you:
>>
>> def increment_uidnumber(l, base):
>>     """ Perform LDAP modify-increment operation on uidNumber tracking object """
>>     modlist = [(ldap.MOD_INCREMENT, "uidNumber", "1")]
>>     l.modify_s("cn=user,{0}".format(base), modlist)
>>     r = l.search_s(base, ldap.SCOPE_SUBTREE, "(objectClass=posixAccount)",
>>                    ['uidNumber'])
>>     next_number = r[0][1]['uidNumber'][0]
>>
>>     return next_number
>
> Using MOD_INCREMENT is good but the above read-after-write is prone to
> race conditions. Since you're using Python you can look at file
> Demo/pyasn1/readentrycontrol.py to learn how to use the PreReadControl
> or PostReadControl class (see also RFC 4527) for incrementing *and*
> reading the new ID within a single atomic modify operation.
>
> Also note that you should only do this on a single provider or "primary"
> MMR-enabled provider (ITS#8757 would be nice for that).
>
> BTW: That's how it's done in Æ-DIR but with a special object class:
>
> https://demo.ae-dir.com/web2ldap?ldapi://%2Fopt%2Fae-dir%2Frun%2Fslapd%2Fldapi/ou=ae-dir??base??bindname=aead,X-BINDPW=CorrectHorseBatteryStaple
>
> One of the unsolved problems is that IDs consumed from the pool might
> not really be used by the client application possibly resulting in gaps
> in your ID space.
>
> Ciao, Michael.
>

Follow-Ups:
- Re: Is existing documentation kind of vague?
  - From: Michael Ströder <michael@stroeder.com>

References:
- Is existing documentation kind of vague?
  - From: John Lewis <jl@hyperbolicinnovation.com>
- Re: Is existing documentation kind of vague?
  - From: MJ J <mikedotjackson@gmail.com>
- Re: Is existing documentation kind of vague?
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: Is existing documentation kind of vague?
Next by Date: Re: Is existing documentation kind of vague?
Index(es):
- Chronological
- Thread