Hello
When using SASL OTP, the one time password sequence number is stored in a cmusaslsecretOTP attribute. On every successful authentication, it should be decreased.
That works fine until used with a syncrepl setup: authenticating to a replica may cause its local cmusaslsecretOTP, but this change will be overriden by the value from the master.
As a result, I see sometime the sequence number decreasing just after a succeeded authentication, but that does not last very long. Soon or later, the older value is restored.
How is it supposed to work? As far as I understand, there needs to be some code for the replica to send the update to the master. Is the code missing, or do I have a configuration problem that prevent it from working? Or do I hit a bug?
Emmanuel Dreyfus wrote:
Hello
When using SASL OTP, the one time password sequence number is stored in a cmusaslsecretOTP attribute. On every successful authentication, it should be decreased.
That works fine until used with a syncrepl setup: authenticating to a replica may cause its local cmusaslsecretOTP, but this change will be overriden by the value from the master.
As a result, I see sometime the sequence number decreasing just after a succeeded authentication, but that does not last very long. Soon or later, the older value is restored.
How is it supposed to work?
Most likely it's not. Since almost nobody uses SASL OTP with OpenLDAP, it's never gotten much attention.
As far as I understand, there needs to be some code for the replica to send the update to the master. Is the code missing, or do I have a configuration problem that prevent it from working? Or do I hit a bug?
Look into chaining...
Howard Chu hyc@symas.com wrote:
How is it supposed to work?
Most likely it's not. Since almost nobody uses SASL OTP with OpenLDAP, it's never gotten much attention.
What do people use, then?
As far as I understand, there needs to be some code for the replica to send the update to the master. Is the code missing, or do I have a configuration problem that prevent it from working? Or do I hit a bug?
Look into chaining...
I have it configured already. Do you confirm this is a bug to be fixed in the chain overlay?
Emmanuel Dreyfus wrote:
Howard Chuhyc@symas.com wrote:
How is it supposed to work?
Most likely it's not. Since almost nobody uses SASL OTP with OpenLDAP, it's never gotten much attention.
What do people use, then?
DIGEST-MD5
As far as I understand, there needs to be some code for the replica to send the update to the master. Is the code missing, or do I have a configuration problem that prevent it from working? Or do I hit a bug?
Look into chaining...
I have it configured already. Do you confirm this is a bug to be fixed in the chain overlay?
No, since I have never used SASL OTP with syncrepl I don't confirm anything.
Emmanuel Dreyfus wrote:
Howard Chu hyc@symas.com wrote:
How is it supposed to work?
Most likely it's not. Since almost nobody uses SASL OTP with OpenLDAP, it's never gotten much attention.
What do people use, then?
As far as I understand, there needs to be some code for the replica to send the update to the master. Is the code missing, or do I have a configuration problem that prevent it from working? Or do I hit a bug?
Look into chaining...
I have it configured already. Do you confirm this is a bug to be fixed in the chain overlay?
Not necessarily. Every write to a well-configured replica should be rejected with a referral. The chain overlay will intercept the referral and chase it, applying the modification to the master. You need to check why no referral is returned, since the master's value eventually overrides the replica's. Either the configuration uses an identity that bypasses shadow checks (like the updatedn) or some SASL-related code (slap_auxprop_store?) is performing an internal modification with some special flag that bypasses shadow checks. I'm not going to debug this issue right now (no time, sorry), but you should look at something along these lines.
p.
Pierangelo Masarati masarati@aero.polimi.it wrote:
Not necessarily. Every write to a well-configured replica should be rejected with a referral. The chain overlay will intercept the referral and chase it, applying the modification to the master. You need to check why no referral is returned, since the master's value eventually overrides the replica's. Either the configuration uses an identity that bypasses shadow checks (like the updatedn) or some SASL-related code (slap_auxprop_store?) is performing an internal modification with some special flag that bypasses shadow checks.
I beleive the offending code is in servers/slapd/sasl.h:slap_auxprop_store()
It seems we use the authc Id: slap_propnames[SLAP_SASL_PROP_AUTHC]
But there is no special flags: mod->sml_flags = 0;
Nothing in the logs on the master. On the client I have this at bind time: SASL [conn=219246] Error: SASL error opening password file. Do you have write permissions? SASL [conn=219246] Failure: Could not open db for write
But it happens all the time, OTP being used or not.
Pierangelo Masarati masarati@aero.polimi.it wrote:
Not necessarily. Every write to a well-configured replica should be rejected with a referral. The chain overlay will intercept the referral and chase it, applying the modification to the master. You need to check why no referral is returned, since the master's value eventually overrides the replica's. Either the configuration uses an identity that bypasses shadow checks (like the updatedn) or some SASL-related code (slap_auxprop_store?) is performing an internal modification with some special flag that bypasses shadow checks.
I beleive the offending code is in servers/slapd/sasl.h:slap_auxprop_store()
It seems we use the authc Id: slap_propnames[SLAP_SASL_PROP_AUTHC]
But there is no special flags: mod->sml_flags = 0;
Nothing in the logs on the master. On the client I have this at bind time: SASL [conn=219246] Error: SASL error opening password file. Do you have write permissions? SASL [conn=219246] Failure: Could not open db for write
But it happens all the time, OTP being used or not.
I think this is not related. This definitely looks like the known issue that libsasl always tries to check the sasldb, as soon as libsasldb.so is available.
I've never used SASL OTP with slapd, so I'm not aware of all details, can you post how you configured the whole stuff?
What I suspect, in your issue, is that slap_auxprop_store() writes something locally, bypassing the fact that it is writing on a shadow database. Whether having authentications on a shadow database modify the master is the correct behavior or not, it is not entirely clear to me.
Apparently, this is a requirement for OTP, but it might be undesirable in other cases. Consider for example all the issues related to replicating (or not replicating) attributes specific to password policy... things need to be at least discussed to figure out all the details and implications.
p.
On Thu, 3 Dec 2009, Emmanuel Dreyfus wrote:
Most likely it's not. Since almost nobody uses SASL OTP with OpenLDAP, it's never gotten much attention.
What do people use, then?
For what it's worth, our OTP sequences are upstream of OpenLDAP (when encountering an OTP user, OpenLDAP merely works as a proxy, viz. contrib/slapd-modules/passwd/radius.c). Our OTP servers provide RADIUS support so this was a bit of a no-brainer drop in...and of course we had this preexisting infrastructure (for a couple decades at this point) to work with and, for the usual reasons, zero desire to multihome (on legacy + OpenLDAP) the sequence data.
Admittedly from a "ground up" fresh deployment scenario, that would be an unneeded additional service versus your approach; you're Probably On The Right Track strictly speaking. I'm merely answering the "what do people use" with one illustration.
openldap-software@openldap.org
-
Aaron Richton -
Howard Chu -
manu@netbsd.org -
masarati@aero.polimi.it -
Pierangelo Masarati