kdc ldap referral handling broken

Paul B. Henson henson at acm.org
Tue Mar 20 20:49:12 EDT 2012


On Tue, Mar 20, 2012 at 09:23:52AM -0700, Greg Hudson wrote:

> 1. Slave KDCs would be attempting to write to the master with some
> frequency (every successful preauthenticated AS request if
> disable_last_success isn't turned on, and every failed preauthenticated
> AS request if disable_lockout isn't set).  If the master KDC host goes
> down, the slave KDCs would probably become useless due to timeouts
> attempting to contact the master.
>
> 2. Given the relatively high frequency of referrals to the master, there
> would be a strong temptation to keep the referred connections open to
> avoid constantly reconnecting and rebinding.  This would raise the risk
> of coding error causing those cached connections to be used for the
> wrong operations.

The current implementation *already* follows the referral, it just
doesn't authenticate the connection. If the master being referred to
allowed anonymous writes ;), it would just work. But given the
unlikelihood of such a configuration...

So intuitively it seems the issues you raise are already part of the
existing implementation, and the change we propose would simply allow
the functionality to work correctly in a more common configuration
scenario :).

> Architecturally, it seems superior to arrange for the attributes written
> to by a KDC to be non-replicated.

Ehhh... Actually, I'd consider it kind of non-ideal for each kdc to have
its own separate view of failure counts, it makes lockout policies a lot
more vague.


-- 
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  henson at csupomona.edu
California State Polytechnic University  |  Pomona CA 91768


More information about the Kerberos mailing list