[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8185) Clarification/enhancement request: purging stale pwdFailureTime attributes

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8185) Clarification/enhancement request: purging stale pwdFailureTime attributes
From: subbarao@computer.org
Date: Mon, 06 Jul 2015 17:12:14 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Thanks for the heads-up Quanah. Looks like you've found a serious 
problem with multi-master replication, good to know about. In my case, 
we're just using single-master replication, so we're able to dodge the 
problem you describe for the time being.

Just to clarify though -- once ITS#8125 is resolved, this enhancement 
shouldn't pose any additional problems for MMR sites, right?

Thanks,

     -Kartik

On 07/06/2015 12:18 PM, Quanah Gibson-Mount wrote:
> I would note that:
>
> IF using delta-syncrepl
> AND the data values are replicated
> AND authentication attempts can occur against different LDAP masters
>
> You can run into *serious* drift between servers if you try and 
> implement this, causing endless refresh mode runs that cause the 
> servers to get further out of sync.  See 
> <http://www.openldap.org/its/index.cgi/?findid=8125>.
>
> More specifically:
>
> If a client has (most often) a mobile device with a bad password, and 
> it's authentication attempts are bouncing between masters, even with 
> high resolution timestamps, you can get collisions in the delete op 
> for old values that cannot be reconciled, causing fallback/refresh.
>
>
> --Quanah
>
> -- 
>
> Quanah Gibson-Mount
> Platform Architect
> Zimbra, Inc.
> --------------------
> Zimbra ::  the leader in open source messaging and collaboration

Prev by Date: Re: (ITS#8185) Clarification/enhancement request: purging stale pwdFailureTime attributes
Next by Date: Re: (ITS#8185) Clarification/enhancement request: purging stale pwdFailureTime attributes
Index(es):
- Chronological
- Thread