[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ITS #7161, ppolicy pwdFailureTime resolution should be better than 1 second



Michael Ströder wrote:
Paul B. Henson wrote:
On Fri, May 23, 2014 at 08:51:02PM -0700, Howard Chu wrote:

The *failure* occurred at that instant, not at the instant the request was
received. It is simply a matter of correctness.

For my purposes, it doesn't really matter whether the bind is considered
to have failed as of when it was attempted vs when all the processing
was completed, so if you prefer the latter I'll rework my patch to keep
those semanics.

You need to actually use microseconds, since the time-increment is
only unique on the local server and will not guarantee uniqueness in a
replication scenario.

Ah, good point.

But even with exact microseconds uniqueness cannot be guaranteed in a
replication scenario.

True, but collisions will be extremely rare, which cannot be said for using the time-increment.

I also wonder what people who want to see pwdFailureTime replicated expect
when bind requests are load-balanced to different replicas - not unusual.

In the single-master case it's anybody's guess what anyone would expect. In a multi-master case it's clear that the expectation is that all servers maintain identical counts.

I don't think that you can meet the expectations of your IT sec folks
regarding exact failure count.

Ciao, Michael.




--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/