[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Is existing documentation kind of vague?

To: MJ J <mikedotjackson@gmail.com>
Subject: Re: Is existing documentation kind of vague?
From: Michael Ströder <michael@stroeder.com>
Date: Tue, 14 Nov 2017 21:47:34 +0100
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <CANCEyfPKWChj-TPstK+gsZP4DmYjfiYDpW+ofj7475yHbVwFuA@mail.gmail.com>
Openpgp: id=43C8730E84A20E560722806C07DC7AE36A8BC938
References: <1510686800.27244.1.camel@hyperbolicinnovation.com> <CANCEyfNNs0CC-KxBV4kS3v3QRLFROKsp4BueMQrhOzxgZ1drwQ@mail.gmail.com> <64c16f15-293f-717d-12cc-e0b9b73cd9de@stroeder.com> <CANCEyfPKWChj-TPstK+gsZP4DmYjfiYDpW+ofj7475yHbVwFuA@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 SeaMonkey/2.49.1

MJ J wrote:
> Client apps are not scoped to do subtree searches from the root of the
> directory where the autoincrement objects live, nor do the ACLs permit
> it, but you knew that already.

Good to hear it's alright in your deployment.
But please add this extra note next time you give general advice to others.

> Duplicate a race condition using the above code and you shouldn't be
> using LDAP in the first place.

Did you really read what I wrote? Did you look at RFC 4527?

Ciao, Michael.

> On Tue, Nov 14, 2017 at 10:26 PM, Michael Ströder <michael@stroeder.com> wrote:
>> MJ J wrote:
>>> You don't need a special object class or schema, you can use this:
>>> dn: cn=user,ou=increment,dc=foo,dc=bar
>>> objectClass: top
>>> objectClass: account
>>> objectClass: posixAccount
>>
>> Ouch! Depending on the config of your LDAP server and client systems
>> this is a visible user account with username 'user' and *changing* and
>> *conflicting* uidNumber. This is bad design. No wonder if you're running
>> into problems with nss-pam-ldapd (nslcd) or sssd later.
>>
>> You have been warned.
>>
>>> And here is a python method to do the job for you:
>>>
>>> def increment_uidnumber(l, base):
>>>     """ Perform LDAP modify-increment operation on uidNumber tracking object """
>>>     modlist = [(ldap.MOD_INCREMENT, "uidNumber", "1")]
>>>     l.modify_s("cn=user,{0}".format(base), modlist)
>>>     r = l.search_s(base, ldap.SCOPE_SUBTREE, "(objectClass=posixAccount)",
>>>                    ['uidNumber'])
>>>     next_number = r[0][1]['uidNumber'][0]
>>>
>>>     return next_number
>>
>> Using MOD_INCREMENT is good but the above read-after-write is prone to
>> race conditions. Since you're using Python you can look at file
>> Demo/pyasn1/readentrycontrol.py to learn how to use the PreReadControl
>> or PostReadControl class (see also RFC 4527) for incrementing *and*
>> reading the new ID within a single atomic modify operation.
>>
>> Also note that you should only do this on a single provider or "primary"
>> MMR-enabled provider (ITS#8757 would be nice for that).
>>
>> BTW: That's how it's done in Æ-DIR but with a special object class:
>>
>> https://demo.ae-dir.com/web2ldap?ldapi://%2Fopt%2Fae-dir%2Frun%2Fslapd%2Fldapi/ou=ae-dir??base??bindname=aead,X-BINDPW=CorrectHorseBatteryStaple
>>
>> One of the unsolved problems is that IDs consumed from the pool might
>> not really be used by the client application possibly resulting in gaps
>> in your ID space.
>>
>> Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

References:
- Is existing documentation kind of vague?
  - From: John Lewis <jl@hyperbolicinnovation.com>
- Re: Is existing documentation kind of vague?
  - From: MJ J <mikedotjackson@gmail.com>
- Re: Is existing documentation kind of vague?
  - From: Michael Ströder <michael@stroeder.com>
- Re: Is existing documentation kind of vague?
  - From: MJ J <mikedotjackson@gmail.com>

Prev by Date: Re: Is existing documentation kind of vague?
Next by Date: ssf Security Question
Index(es):
- Chronological
- Thread