Reviewing current time handling code, while lutil_parsetime understands and can parse a generalized time that includes fractions of a second, there doesn't seem to be any code that can generate a generalized time string including fractions of a second, in particular to microsecond resolution (to match a struct timeval time)?
I'd like to enhance the current password policy module to use microsecond resolution for the pwdFailureTime attribute, as the current 1 second resolution makes it less than ideal for account lockouts. Currently, it is using slap_timestamp to generate the generalized time to store, which only provides a generalized time with 1 second granularity. On initial review, it looks like simply storing a generalized time with microsecond resolution in the pwdFailureTime attribute is all that is required to enhance the ppolicy module for better account lockout support, because as previously mentioned lutil_parsetime already understands and can parse fractional seconds. I don't see any other code that would need to be modified so far.
The question is how to generate the needed format? One option would be to enhance one way or another the existing generic support, perhaps adding a slap_timestamp_usec function? Another would be to just add a call to gettimeofday() next to the current call to time() in the ppolicy code, generate the generalized time string with slap_timestamp, and then mash the fractional seconds into it.
Ideally I'd like to get this enhancement to ppolicy accepted into the code base, so I'd appreciate some feedback as to what implementation would be preferred for this.
Thanks...
"Paul B. Henson" henson@acm.org schrieb am 29.04.2014 um 05:17 in Nachricht
20140429031735.GC1541@bender.unx.csupomona.edu:
Reviewing current time handling code, while lutil_parsetime understands and can parse a generalized time that includes fractions of a second, there doesn't seem to be any code that can generate a generalized time string including fractions of a second, in particular to microsecond resolution (to match a struct timeval time)?
Here you can see that the C Library has come to ages: stuct tm lacks fractional seconds, nad strftime is based on struct tm. In a similar problem I used a hybrid approach like this:
if ( clock_gettime(CLOCK_REALTIME, &ts) == 0 && localtime_r(&ts.tv_sec, &tm) != NULL && strftime(time_string, sizeof(time_string), "%Y%m%d %H%M%S.hhtuuunnn", &tm) > 0 ) ... fp = time_string + 15; /* .hhtuuu */ ssize_t nsz = 10; rval = snprintf(fp + 1, nsz, "%09ld", ts.tv_nsec); assert(rval < nsz); ...
Ulrich
I'd like to enhance the current password policy module to use microsecond resolution for the pwdFailureTime attribute, as the current 1 second resolution makes it less than ideal for account lockouts. Currently, it is using slap_timestamp to generate the generalized time to store, which only provides a generalized time with 1 second granularity. On initial review, it looks like simply storing a generalized time with microsecond resolution in the pwdFailureTime attribute is all that is required to enhance the ppolicy module for better account lockout support, because as previously mentioned lutil_parsetime already understands and can parse fractional seconds. I don't see any other code that would need to be modified so far.
The question is how to generate the needed format? One option would be to enhance one way or another the existing generic support, perhaps adding a slap_timestamp_usec function? Another would be to just add a call to gettimeofday() next to the current call to time() in the ppolicy code, generate the generalized time string with slap_timestamp, and then mash the fractional seconds into it.
Ideally I'd like to get this enhancement to ppolicy accepted into the code base, so I'd appreciate some feedback as to what implementation would be preferred for this.
Thanks...
From: Ulrich Windl Sent: Monday, April 28, 2014 11:22 PM
Here you can see that the C Library has come to ages: stuct tm lacks fractional seconds, nad strftime is based on struct tm. In a similar problem I used a hybrid approach like this:
Thanks for the example; I was thinking of potentially doing something like that.
Paul B. Henson wrote:
Reviewing current time handling code, while lutil_parsetime understands and can parse a generalized time that includes fractions of a second, there doesn't seem to be any code that can generate a generalized time string including fractions of a second, in particular to microsecond resolution (to match a struct timeval time)?
FWIW:
slapo-accesslog records fractions of a second in attributes reqStart and reqEnd which both are declared use Generalized Time syntax. So there is some code which generates the fraction part. Maybe you have to start looking into ./servers/slapd/overlays/accesslog.c and go further from there.
Looking at the values in my accesslog DB I suspect something might be wrong with the fraction part though. There are always at least three zeros after the dot.
Ciao, Michael.
From: Michael Ströder Sent: Monday, April 28, 2014 11:47 PM
slapo-accesslog records fractions of a second in attributes reqStart and reqEnd which both are declared use Generalized Time syntax.
Cool, thanks for the pointer. It looks like that code uses the second of the options I considered, generating a one second granularity timestamp with the existing function and then mashing the microseconds on top of it. Given that method is evidently acceptable for this module, presumably it would also be acceptable in the password policy module.
char rdnbuf[STRLENOF(RDNEQ)+LDAP_LUTIL_GENTIME_BUFSIZE+8]; [...] slap_timestamp( &op->o_time, ×tamp ); snprintf( timestamp.bv_val + timestamp.bv_len-1, sizeof(".123456Z"), ".%06dZ", op->o_tincr ); timestamp.bv_len += STRLENOF(".123456");
Even more conveniently, it looks like it's getting the microseconds value from a member of the op structure, the ppolicy_bind_response function in servers/slapd/overlays/ppolicy.c also has an op structure passed in, which presumably should have the same microseconds value, so it looks like it would be very trivial to emulate the above timestamp generating code in the password policy module.
Thanks
Since you're talking about changes to actual OpenLDAP code, this discussion belongs in openldap-devel, not openldap-technical.
Paul B. Henson wrote:
Reviewing current time handling code, while lutil_parsetime understands and can parse a generalized time that includes fractions of a second, there doesn't seem to be any code that can generate a generalized time string including fractions of a second, in particular to microsecond resolution (to match a struct timeval time)?
Clearly such code must exist in the source tree, since entryCSNs use microsecond resolution.
I'd like to enhance the current password policy module to use microsecond resolution for the pwdFailureTime attribute, as the current 1 second resolution makes it less than ideal for account lockouts. Currently, it is using slap_timestamp to generate the generalized time to store, which only provides a generalized time with 1 second granularity. On initial review, it looks like simply storing a generalized time with microsecond resolution in the pwdFailureTime attribute is all that is required to enhance the ppolicy module for better account lockout support, because as previously mentioned lutil_parsetime already understands and can parse fractional seconds. I don't see any other code that would need to be modified so far.
The question is how to generate the needed format? One option would be to enhance one way or another the existing generic support, perhaps adding a slap_timestamp_usec function? Another would be to just add a call to gettimeofday() next to the current call to time() in the ppolicy code, generate the generalized time string with slap_timestamp, and then mash the fractional seconds into it.
gettimeofday() only exists on POSIX systems; if you're adding a generic slap_xxx function it has to be portable across Windows and other OSs too.
Ideally I'd like to get this enhancement to ppolicy accepted into the code base, so I'd appreciate some feedback as to what implementation would be preferred for this.
Thanks...
openldap-technical@openldap.org
-
Howard Chu -
Michael Ströder -
Paul B. Henson -
Ulrich Windl