Radovan Semancik wrote:
On 02/22/2016 12:53 PM, Michael Ströder wrote:
Radovan Semancik wrote:
E.g. imagine that two clients adds user to the same group.
What's the rationale for doing that?
There are two independent clients. Do you need an explicit rationale for each of them to do the same operation at the same time?
I need a rationale for both clients succeeding for this same operation.
BTW: You would have to further specify what "same operation" really means in detail.
But OK, let's get more specific. Consider this example: midPoint is an IDM system.
Yes, I saw your presentation at LDAPcon.
Which results in error. So, in midPoint we had to implement quite complex error handling on top of that to make sure that we can handle all situations.
There's no way around having decent error handling anyway. Permissive modify control won't help you there in general. And catching attributeOrValueExists and gracefully handle it is not a big deal.
Something tells me that other LDAP clients will not do that.
Yes for sure, there are many stupid LDAP clients out there.
Please note that this case is not specific to midPoint. Any IDM has to do the same thing.
Yes.
Bear in mind that maintaining group entries has a serious security impact!
Agreed. But how exactly is "security impact" influencing consistency model of the LDAP sever?
As said: I've decided to handle groups in web2ldap in specific way and to provoke failure for concurrent writes based on stale data in general.
Many years ago with brand new W2K there was a bug in MMC where the MMC client always replaced all values with a "new" set of values. That re-added group membership which was removed by another client instance before.
Well, that was really a bug in the client, wasn't it? And that's exactly what should be fixed in the client, right? That's the reason why add/delete should be used instead or replace. But I'm talking about add/delete case here.
You have to define more details of what you're really doing.
As said: It' sane to add/remove distinct attribute values and you can do that concurrently. You don't need permissive modify control for that.
BTW: Even when using the permissive modify control you would have to read the old entry for removing attribute values.
Why? I know the DN of the user and I know the DN of the group, why should I read the (potentially very long) list of all group members to make a simple operation?
I don't know the operations sent by your client. Either I have some doubts that you need permissive modify control at all or I have some doubts that your client does things right. Choose yourself.
But hey, you don't have to follow my advice. Just try and see yourself.
Ciao, Michael.