Re: ITS#6475

Sunday, 14 March 2010

...
 <masarati(a)aero.polimi.it&gt; wrote:

> Please test.  p.

 It works, but needs to adjustement to the master ACL. My basic
 configuration yield me this at OTP bind on replica:
 ldap_sasl_interactive_bind_s: Bad parameter to an ldap routine (-9)

 replica slapd  logs:

 conn=1001 op=0 RESULT tag=103 err=50 text=
 SASL [conn=1001] Failure: Error putting OTP secret
 send_ldap_result: conn=1001 op=0 p=3
 send_ldap_result: err=80 matched="" text="SASL(-1): generic failure:
 Error putting OTP secret"

 This has been fixed on the master, by adding this at the beginning of
 the ACL:

 access to * attrs=cmusaslsecretOTP
     by dn.regex="cn=replica,o=test" write stop
     by * break 
This is orthogonal to the sasl auxprops discussion.  It's a matter of
well-configuring the authorizing identity in slapo-chain(5).

...
 Another point: bind on the replica is impossible when the master is
 down. I understand this is to prevent replaying the same OTP on multiple
 replicas, but that defeats the purpose of setting up replicas for fail
 over. 
This was clearly pointed out at the beginning of the discussion.  You
can't have both, it should be clear.

...
 What about making the behavior configurable? 
Right now, cmusaslsecretOTP is hardcoded, because if the shadow copy is
used, OTP breaks.  If it is acceptable to have it broken, we can remove
the hardcoding, and let admins decide whether they prefer fail-over over
consistency.  I'd have no doubt, and favor consistency.

p.

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006