We used to update the iprop log and HDB in different orders depending on
the kadm5 operation, which then led to various race conditions.
The iprop log now functions as a two-phase commit (with roll forward)
log for HDB changes. The log is auto-truncated, keeping the latest
entries that fit in a configurable maximum number of bytes (defaults to
50MB). See the log-max-size parameter description in krb5.conf(5).
The iprop log format and the protocol remain backwards-compatible with
earlier versions of Heimdal. This is NOT a flag-day; there is NO need
to update all the slaves at once with the master, though it is advisable
in general. Rolling upgrades and downgrades should work.
The sequence of updates is now (with HDB and log open and locked):
a) check that the HDB operation will succeed if attempted,
b) append to iprop log and fsync() it,
c) write to HDB (which should fsync()),
d) mark last log record committed (no fsync in this case).
Every kadm5 write operation recover transactions not yet confirmed as
committed, thus there can be at most one unconfirmed commit on a master
KDC.
Reads via kadm5_get_principal() also attempt to lock the log, and if
successful, recover unconfirmed transactions; readers must have write
access and must win any race to lock the iprop log.
The ipropd-master daemon also attempts to recover unconfirmed
transactions when idle.
The log now starts with a nop record whose payload records the offset of
the logical end of the log: the end of the last confirmed committed
transaction. This is kown as the "uber record". Its purpose is
two-fold: act as the confirmation of committed transactions, and provide
an O(1) method of finding the end of the log (i.e., without having to
traverse the entire log front to back).
Two-phase commit makes all kadm5 writes single-operation atomic
transactions (though some kadm5 operations, such as renames of
principals, and changes to principals' aliases, use multiple low-level
HDB write operations, but still all in one transaction). One can still
hold a lock on the HDB across many operations (e.g., by using the lock
command in a kadmin -l or calling kadm5_lock()) in order to push
multiple transactions in sequence, but this sequence will not be atomic
if the process or host crashes in the middle.
As before, HDB writes which do not go through the kadm5 API are excluded
from all of this, but there should be no such writes.
Lastly, the iprop-log(1) command is enhanced as follows:
- The dump, last-version, truncate, and replay sub-commands now have an
option to not lock the log. This is useful for inspecting a running
system's log file, especially on slave KDCs.
- The dump, last-version, truncate, and replay sub-commands now take an
optional iprop log file positional argument, so that they may be used
to inspect log files other than the running system's
configured/default log file.
Extensive code review and some re-writing for clarity by Viktor Dukhovni.
A careful code review was undertaken, and it was determined
that the best way to store the extended attributes was in a
native ASN1 encoded field. LDAP does not understand the
SEQUENCE of SEQUENCE structures used extensively throughout
the extended attributes structure, and there was already a
precedent set for storing the krb5Key data in a native ASN1
encoded field.
The hdb_ldap_create and hdb_ldapi_create prototypes use the "static"
keyword, but the functions themselves are not implemented as static.
Heimdal's buildsystem dynamically adds function declarations to
hdb-protos.h based on the actual function implementations. Those
declarations in hdb-protos.h are not declared as static.
Since the build system generates the declarations dynamically, just
remove them from hdb-ldap.c.
This uses a seperate hdb-ldap-secret-file configuration value, which
specifies an external file that may be used to supply the LDAP bind dn
and password. This allows that specific file to be configured with more
restrictive permissions than the global krb5.conf.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
Commit 9f696b11c2 changed the
behaviour of key expiry for principals that have an sambaPwdLastSet
attribute in LDAP. The change was twofold:
* if "password_lifetime" is not set in kdc.conf a default lifetime
of 1 year is enforced
* krb5PasswordEnd is not honoured.
This patch causes pw_end to be modified only if sambaPwdLastSet
*and* "password_lifetime" is defined in kdc.conf.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
A typo in LDAP__lookup_princ makes using existing LDAP entries broken,
a new entry is always created even if an entry with proper uid and
structural objectclass can be found.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
Johan Gadsjö did a awesome analysis of the LDAP access pattens
and sent us a patch that reduced the calls the ldap server by 4
times as many. The patch was adopted and change to avoid compile
time depencies and make the determination runtime instead. Thanks!
ldap special characters, this should really be quoting instead.
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23941 ec53bebd-3082-4978-b11e-865c3cabbd6b
Idea from Andreas Hasenack.
While here, set pw change time using sambaPwdLastSet
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17654 ec53bebd-3082-4978-b11e-865c3cabbd6b
(hdb_ldap_common): change "arg" in condition (if) to "search_base"
(hdb_ldapi_create): change "serach_base" to "search_base"
From Alex V. Labuta.
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@16862 ec53bebd-3082-4978-b11e-865c3cabbd6b
Nicolas Williams