Setup would be as follows be1.foo.com is Master - (dc=foo,dc=com) be2.foo.com is Consumer to be1, configured to chain on update - (dc=foo,dc=com)
compromised It should be viewed as problematic that the database on a consumer could be directly modified by "cn=directory manager" and those changes are not reflected on the Master (or other masters, hubs, or consumers, for that matter)
Hypothetically speaking... "cn=directory manager" could bind to be1.foo.com and modify the following dn.. dn: uid=jim,dc=foo,dc=com changetype: modify replace: sn sn: changed on be1
I could then search be1.foo.com (Master) and be2.foo.com (consumer) and find the value for "sn" on "uid=jim,dc=foo,dc=com" is "changed on be1" on both servers
The above makes sense.
Now, If i were to make the same change to be2... "cn=directory manager" binds to be2.foo.com and modifies .. changetype: modify replace: sn sn: changed on be2
I would then search be1.foo.com (Master) and find sn to have a value of "changed on be1" a search of be2.foo.com (Consumer) would show sn has a value of "changed on be2"
It seems this could have a detrimental effect on the integrity of the environment.
Possible Options: A) ensure "cn=directory manager"s actions on a consumer/ "chain on update" are replicated (chain directory manager's changes to userRoot); B) prevent ^ from making changes to userRoot/(dc=foo,dc=com) that will not be replicated/chained; C) give ^ a referral to a master if changes are destined for userRoot/(dc=foo,dc=com); D) ?
Replying to [ticket:314 jamespfinn]:
Possible Options: A) ensure "cn=directory manager"s actions on a consumer/ "chain on update" are replicated (chain directory manager's changes to userRoot);
This is a security risk - it effectively gives you directory manager rights to a remote server.
B) prevent ^ from making changes to userRoot/(dc=foo,dc=com) that will not be replicated/chained;
This defeats the purpose of chain on update.
C) give ^ a referral to a master if changes are destined for userRoot/(dc=foo,dc=com);
D) ?
Any ideas?
I'd also reccomend the Howto wiki (http://directory.fedoraproject.org/wiki/Howto:ChainOnUpdate) be updated to reflect the existence of this condition.
set default ticket origin to Community
Added initial screened field value.
I think applying dir manager changes locally also defeats the purpose of chaining on update. Maybe we can add a cofiguration option for the chaining backend to determine the behaviour for updates by directory manager: a) update local (default) b) send a referral c) reject upodate So it would be fully under control by admins and default behaviour wouldn't change
attachment 0001-First-attempt-to-fix-ticket-314.patch
I started to implement my suggested changes with three options for changes attempted by root dn: local, chain, reject
None is satisfactory so far: With "local" the first change as root crashed the server, see ticket: #47503, further changes did succed locally "chain" does not work as root, since the chaining is using the proxy auth control and this is rejected by the master: root cannot be proxydn "reject" works, but there are changes affecting mapping tree code and backend selection and all callers of slapi_mapping_tree_select() need to be checked if they will correctly handle return code or NULL backends
I implemented the options local, reject, referral Below is the output of a testrun
nsslapd-distribution-root-update: referral
ldapmodify -p 1392 -h localhost -x -D "cn=directory manager" dn: cn=HR Managers,ou=Groups,dc=redhat,dc=com changetype: modify add: description description: root update
modifying entry "cn=HR Managers,ou=Groups,dc=redhat,dc=com" ldap_modify: Referral (10) matched DN: dc=redhat,dc=com referrals: ldap://elkris.redhat.com:1391
nsslapd-distribution-root-update: reject
modifying entry "cn=HR Managers,ou=Groups,dc=redhat,dc=com" ldap_modify: Server is unwilling to perform (53)
nsslapd-distribution-root-update: local
modifying entry "cn=HR Managers,ou=Groups,dc=redhat,dc=com"
ldapsearch -LLL -o ldif-wrap=no -x -p 1392 -h localhost -D "cn=directory manager" -w ... -b "dc=redhat,dc=com" "cn=HR Managers" description dn: cn=HR Managers,ou=Groups,dc=redhat,dc=com description: chained update description: root update
ldapsearch -LLL -o ldif-wrap=no -x -p 1391 -h localhost -D "cn=directory manager" -w ... -b "dc=redhat,dc=com" "cn=HR Managers" description dn: cn=HR Managers,ou=Groups,dc=redhat,dc=com description: chained update
attachment 0001-Ticket-314-ChaiOnUpdate-for-root-handling.patch
Please use #define constants instead of -2 and -3. Otherwise, looks good.
attachment 0002-Use-defines-for-backend-error-handling.patch
patch with defines attached, if the naming is ok I'll commit
There were no comments on the chosen constants naming, so I'll commit
$ git merge ticket314 Updating 5f5b355..8c216a9 Fast-forward ldap/servers/plugins/replication/replutil.c | 12 +++++++++--- ldap/servers/slapd/mapping_tree.c | 96 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------- ldap/servers/slapd/slapi-plugin.h | 5 +++++ ldap/servers/slapd/slapi-private.h | 3 +++ 4 files changed, 100 insertions(+), 16 deletions(-) $ git push origin master Counting objects: 30, done. Delta compression using up to 4 threads. Compressing objects: 100% (20/20), done. Writing objects: 100% (20/20), 3.06 KiB, done. Total 20 (delta 16), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 5f5b355..8c216a9 master -> master
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1044152
Metadata Update from @jamespfinn: - Issue assigned to lkrispen - Issue set to the milestone: 1.3.2 - 09/13 (September)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/314
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.