7:29 p.m.
Hello
After exchanging a few private messages with Pierangelo Masarati, I just
posted ITD#6475:
When binding using SASL OTP to a replica, the bind works, but the
cmusaslsecretOTP attribute is modified on the replica and fail to be
propagated to the master. On the next modification, the master will
overwrite the replica's updated cmusaslsecretOTP value.
Here is a script that exhibit the behaviour:
ftp://ftp.openldap.org/incoming/ldapotp.tgz
That require SASL enabled OpenLDAP, with the OTP plugin installed.
The
PATH in run.sh must probably be adjusted.
The problem is in sasl_auxprop_store(), who bypass the replication
process. The easier fix to me seems to send a referal to the master on
any SASL OTP bind, Any other idea?
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu(a)netbsd.org
9:22 p.m.
On 2/16/10 10:29 PM, Emmanuel Dreyfus wrote:
Hello
After exchanging a few private messages with Pierangelo Masarati, I just
posted ITD#6475:
> When binding using SASL OTP to a replica, the bind works, but the
> cmusaslsecretOTP attribute is modified on the replica and fail to be
> propagated to the master. On the next modification, the master will
> overwrite the replica's updated cmusaslsecretOTP value.
>
> Here is a script that exhibit the behaviour:
> ftp://ftp.openldap.org/incoming/ldapotp.tgz
> That require SASL enabled OpenLDAP, with the OTP plugin installed. The
> PATH in run.sh must probably be adjusted.
The problem is in sasl_auxprop_store(), who bypass the replication
process. The easier fix to me seems to send a referal to the master on
any SASL OTP bind, Any other idea?
I was experimenting with SASL OTP a few months ago and thought
replication seemed problematic in general.
In a single provider, single consumer setup, it would seem that if the
cmusaslsecretOTP was written to on the provider (as above), there would
be a chance for a client to perform another SASL OTP bind against the
consumer before the cmusaslsecretOTP was replicated. In such a
situation, the password could be replayed.
In the current implementation, this cannot happen on a single consumer,
as the SASL libraries prevent binding until the cmusaslsecretOTP has
been written. Of course, if the entry with an old cmusaslsecretOTP is
replicated, the password can be replayed.
Multi-consumer setups suffer from the same problem. Passwords can be
used multiple times on different consumers.
I'm not sure how this problem can be solved. It would seem that in a
replicated environment a SASL OTP bind would have to block across all
providers until they are all updated to prevent passwords from being
replayed. This seems difficult, to say the least.
1:38 a.m.
Emmanuel Dreyfus wrote:
Hello
After exchanging a few private messages with Pierangelo Masarati, I just
posted ITD#6475:
> When binding using SASL OTP to a replica, the bind works, but the
> cmusaslsecretOTP attribute is modified on the replica and fail to be
> propagated to the master. On the next modification, the master will
> overwrite the replica's updated cmusaslsecretOTP value.
>
> Here is a script that exhibit the behaviour:
> ftp://ftp.openldap.org/incoming/ldapotp.tgz
> That require SASL enabled OpenLDAP, with the OTP plugin installed. The
> PATH in run.sh must probably be adjusted.
The problem is in sasl_auxprop_store(), who bypass the replication
process. The easier fix to me seems to send a referal to the master on
any SASL OTP bind, Any other idea?
Let me elaborate a bit. The scenario is an authentication procedure
that involves modifications to the account. These modifications need to
be done on the real data, cannot be local (much like many fields related
to password policy, for instance).
The "right" approach would be to propagate the modifications to the
master, wait for their replication and continue with the bind.
The real right approach would be to centralize binds, basically
defeating the purpose of having replicas (with respect to
authentication, at least).
I'm not a fan of OTP, but I believe this problem is worth being
discussed not only with respect to OTP, but also because it may share
issues with other auth methods where the directory stores auth-related
data (like SASL auxprops).
When everything is set up correctly, a client should not direct binds
with this type of mech to a replica.
When clients do not know that a DSA is in fact a shadow, the shadow DSA
should be able to handle this type of requests seamlessly, although
possibly not as efficiently as the master would. In this latter case,
the auth procedure should be able to understand that the request will
modify centrally administered info, and refuse to proceed. The frontend
should be able to intercept this (much like when it receives a write
request, or a request with the dontUseCopy control), and either give up
or perform the write to the master, wait for success, and continue.
Note that "continue" might imply waiting for replication to finalize,
otherwise a subsequent request for stored auxprops would return invalid
values. The above could be implemented at minimal cost using the chain
mechanism already available to support writes to shadow databases, but
binds do not return referrals by design.
In short, I believe this really messes up with the mess involved with
distributed procedures. Either we solve it consistently (at the cost of
performances) or consistently prevent things from messing up (like it is
now); the latter might be the only viable solution if fixing things
consistently is not worth because of excessive performance penalties.
p.
10:53 p.m.
Pierangelo Masarati <masarati(a)aero.polimi.it> wrote:
I'm not a fan of OTP, but I believe this problem is worth being
discussed not only with respect to OTP, but also because it may share
issues with other auth methods where the directory stores auth-related
data (like SASL auxprops).
When everything is set up correctly, a client should not direct binds
with this type of mech to a replica.
A simple solution in the single master situation is to redirect any SASL
OTP bind to the master. As far as I understand, we have no way of
configuring this right now, it needs at add some code, right?
The multi-master setup is much more complicated to get done right.
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu(a)netbsd.org
3:09 a.m.
On Fri, Feb 19, 2010 at 07:53:09AM +0100, Emmanuel Dreyfus wrote:
A simple solution in the single master situation is to redirect any
SASL
OTP bind to the master. As far as I understand, we have no way of
configuring this right now, it needs at add some code, right?
Perhaps slapo-rwm can do that? Is there a way of matching OTP
binds?
--
Emmanuel Dreyfus
manu(a)netbsd.org
6:32 a.m.
[Replying to both messages]
Emmanuel Dreyfus wrote:
On Fri, Feb 19, 2010 at 07:53:09AM +0100, Emmanuel Dreyfus wrote:
> A simple solution in the single master situation is to redirect any SASL
> OTP bind to the master. As far as I understand, we have no way of
> configuring this right now, it needs at add some code, right?
Perhaps slapo-rwm can do that? Is there a way of matching OTP
binds?
I'm afraid slapo-rwm can't do anything like that, since it is not
involved in SASL binds (not even in rewriting identities).
To go back to your initial statement, redirecting SASL OTP binds to the
master may sound simple, but the question is: is it acceptable? I mean:
isn't it defeating the purpose of using replicas in the first place?
Going a bit technical, we need to let SASL bind know that some mechs may
need to behave differently. But redirecting SASL binds to the master
means playing man-in-the-middle, we'd rather need to have distributed
SASL binds. Not familiar enough with SASL's internals to debate. As
far as I understand, auxprops is the intended method to implement
distributed SASL info storage and thus (try to) support distributed SASL
bind. However, this means that not only slap_auxprop_store() needs to:
- understand it's acting on behalf of a shadow database
- redirect writes to the master
but also
- wait for replication to complete
before authentication can continue.
A totally different approach would be to have auxprop handling,
including reads, redirected to the master. In this latter case, auxprop
info (at least for specific SASL mechs) shouldn't be replicated at all.
p.
2:10 p.m.
Pierangelo Masarati <masarati(a)aero.polimi.it> wrote:
- wait for replication to complete
before authentication can continue.
One problem:
If we do that, authentication cannot take place if the master or a
replica is down. That defeats the purpose of setting up replicas to
prevent failures.
IMO there is a trade off between reliability and security here. We can
either
(1) redirect the client to the master (lower availability, better
security since no replay can happen at any time), or
(2) accept the authentication locally and send the update to the master
afterwards (more reliable. less secure)
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu(a)netbsd.org
4:57 p.m.
IMO, OTP is inherently incompatible with replicas because a client can authenticate to
each replica with what is intended to be a one time password. The only way to preclude
this is, as was basically suggested, is to chain it to the master such that each password
can only be used one time.
-- Kurt
1:56 a.m.
IMO, OTP is inherently incompatible with replicas because a client
can
authenticate to each replica with what is intended to be a one time
password. The only way to preclude this is, as was basically suggested,
is to chain it to the master such that each password can only be used one
time.
I have an "easy" fix in this direction; however, I stumbled into another
issue: if slapo-chain(5) gets involved in an internal operation, it does
not honor custom callbacks registered for the internal operation, and
rather attempts to return the result to the caller. As a consequence, I
need to address this issue first, before solving the original one.
p.
4777
days inactive
4781
days old
8 comments
6 participants
participants (6)
-
David Hawes -
Emmanuel Dreyfus -
Kurt Zeilenga -
manu@netbsd.org
-
masarati@aero.polimi.it -
Pierangelo Masarati