Re: How to obtain a 'version number' of an attributes
Quanah Gibson-Mount wrote: --On Tuesday, May 25, 2010 5:11 AM +0200 masar...@aero.polimi.it wrote: This way, the modification is atomic. As usual, this could be accomplished by stacking an overlay that intercepts modifications to specified attributes, like unicodePwd. Can you formalize this a little bit more? Imagine the possibilities if you could generalize this for uidNumber's too... Maybe I misunderstood the posting but IMHO that's a different use-case: The msDS-KeyVersionNumber is per user entry and AFAICS does not have to be unique across the whole directory. IMO it's not possible to implement a directory-wide whatever-unique-ID generator without a central UID pool entry. Ciao, Michael.
Re: How to obtain a 'version number' of an attributes
Quanah Gibson-Mount wrote: --On Tuesday, May 25, 2010 5:11 AM +0200 masar...@aero.polimi.it wrote: This way, the modification is atomic. As usual, this could be accomplished by stacking an overlay that intercepts modifications to specified attributes, like unicodePwd. Can you formalize this a little bit more? Imagine the possibilities if you could generalize this for uidNumber's too... Maybe I misunderstood the posting but IMHO that's a different use-case: The msDS-KeyVersionNumber is per user entry and AFAICS does not have to be unique across the whole directory. IMO it's not possible to implement a directory-wide whatever-unique-ID generator without a central UID pool entry. Yes, if I understand Quanah's point correctly, what he wants to have is already provided by rfc4525 + rfc4527: increment with pre- or post-read, to atomically increment and read a (central) counter. p.
How to obtain a 'version number' of an attributes
I've got a little challenge... there is an attribute in AD call msDS-KeyVersionNumber. In AD this operational attribute increments each time the unicodePwd attribute is updated. It is typically a small integer, being the number of times that the password has ever been changed. In Samba4, we maintain this by looking into our replication metadata (replPropertyMetaData), and returning a counter that is maintained there. I could maintain this manually from Samba's side (this is what we did in the past), but I wanted to first check if there was something already stored that I could convert. Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. signature.asc Description: This is a digitally signed message part
Re: How to obtain a 'version number' of an attributes
Andrew Bartlett wrote: I've got a little challenge... there is an attribute in AD call msDS-KeyVersionNumber. In AD this operational attribute increments each time the unicodePwd attribute is updated. It is typically a small integer, being the number of times that the password has ever been changed. In Samba4, we maintain this by looking into our replication metadata (replPropertyMetaData), and returning a counter that is maintained there. I could maintain this manually from Samba's side (this is what we did in the past), but I wanted to first check if there was something already stored that I could convert. We don't keep a counter on the LDAP side. However, the Heimdal KDC maintains the keyVersionNumber, and it seems to me that you'd have that integrated here as well. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: How to obtain a 'version number' of an attributes
On Tue, 2010-05-25 at 05:11 +0200, masar...@aero.polimi.it wrote: I've got a little challenge... there is an attribute in AD call msDS-KeyVersionNumber. In AD this operational attribute increments each time the unicodePwd attribute is updated. It is typically a small integer, being the number of times that the password has ever been changed. In Samba4, we maintain this by looking into our replication metadata (replPropertyMetaData), and returning a counter that is maintained there. I could maintain this manually from Samba's side (this is what we did in the past), but I wanted to first check if there was something already stored that I could convert. If I understand correctly what you're asking for, modifications of the unicodePwd attribute should be accompanied by modify:increment of a counter. Something like: dn: cn=someone changetype: modify replace: unicodePwd unicodePwd:: some value - should be transformed into dn: cn=someone changetype: modify replace: unicodePwd unicodePwd:: some value - increment: msDS-KeyVersionNumber msDS-KeyVersionNumber: 1 - This way, the modification is atomic. As usual, this could be accomplished by stacking an overlay that intercepts modifications to specified attributes, like unicodePwd. Can you formalize this a little bit more? That's pretty much what I was looking for. The exact semantics don't matter too much, but this I need: - a 'small' monotonically increasing increasing integer - only increases for unicodePwd, not other updates. - always strictly related to the unicodePwd value it was incremented for (as it will be used as an abstract idenifier, along with the DN/samaccountname/etc to identify the secret unicodePwd value). Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. signature.asc Description: This is a digitally signed message part
Re: How to obtain a 'version number' of an attributes
--On Tuesday, May 25, 2010 5:11 AM +0200 masar...@aero.polimi.it wrote: This way, the modification is atomic. As usual, this could be accomplished by stacking an overlay that intercepts modifications to specified attributes, like unicodePwd. Can you formalize this a little bit more? Imagine the possibilities if you could generalize this for uidNumber's too... --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration