kdc ldap referral handling broken
Paul B. Henson
henson at acm.org
Tue Mar 20 20:49:12 EDT 2012
On Tue, Mar 20, 2012 at 09:23:52AM -0700, Greg Hudson wrote:
> 1. Slave KDCs would be attempting to write to the master with some
> frequency (every successful preauthenticated AS request if
> disable_last_success isn't turned on, and every failed preauthenticated
> AS request if disable_lockout isn't set). If the master KDC host goes
> down, the slave KDCs would probably become useless due to timeouts
> attempting to contact the master.
>
> 2. Given the relatively high frequency of referrals to the master, there
> would be a strong temptation to keep the referred connections open to
> avoid constantly reconnecting and rebinding. This would raise the risk
> of coding error causing those cached connections to be used for the
> wrong operations.
The current implementation *already* follows the referral, it just
doesn't authenticate the connection. If the master being referred to
allowed anonymous writes ;), it would just work. But given the
unlikelihood of such a configuration...
So intuitively it seems the issues you raise are already part of the
existing implementation, and the change we propose would simply allow
the functionality to work correctly in a more common configuration
scenario :).
> Architecturally, it seems superior to arrange for the attributes written
> to by a KDC to be non-replicated.
Ehhh... Actually, I'd consider it kind of non-ideal for each kdc to have
its own separate view of failure counts, it makes lockout policies a lot
more vague.
--
Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst | henson at csupomona.edu
California State Polytechnic University | Pomona CA 91768
More information about the Kerberos
mailing list