#205 Data entry and Synchronisation problems with multiple open databases

KeePass_2.x
closed
nobody
None
5
2013-06-26
2013-06-21
Mark
No

Using KeePass 2.22.

Because KeePass doesn't have granular access security I have had to create three databases on our network and then using AD Group Policies, grant access to one or more of the databases depending on their role, etc. The three databases are for Desktop Support, Network Infrastructure, and System Administration.

Because all users have full access to the databases they open I decided to use triggers to firstly create a copy of all the databases they have been given access too to an In_Use directory and preceed it with their username
. The trigger then opens these copied files as tabs in the KeePass window.

If I have a single database open everything works fine i.e. the trigger copies the master database and then changes are automatically synchronised with the master file but when I have more than one database open at the same time then this is where problems begin ....


<B>Scenario 1 - Thee databases open in KeePass sharing the same composite master key
(key file and master password).</B>

I have the copies of all three databases open in this order Desktop, Network, SysAdmin. When I create or make a change in mdavies-Desktop.kdbx the trigger I created saves and synchronise the active database. The problem is that when I synchronise the other two databases, e.g. mdavies-Network.kdbx and mdavies-SysAdmin.kdbx, it copies the changes made to mdavies-Desktop.kdbx to these databases also.

Why does it copy them across all the open databases?


<B>Scenario 2 - Thee databases open in KeePass sharing the same key file but each
has a different master password.</B>

If the three databases share the same key file but have different master passwords then the entries do not get copied / synchronised between the open databases as in Scenario 1. The problem is that the syncronisation trigger on the 2nd and 3rd open database fails with an error.

As I said I have a trigger which detects when a change is made to the active database, saves it and then synchronises it with its master i.e. a change is made to the 1st open database mdavies-Desktop.kdbx which is saved and then synchronised to the master file Desktop.kdbx. As mdavies-Desktop.kdbx is the first open database the trigger works fine. If I make a change to the second or third open database, i.e. mdavies-Network.kdbx and mdavies-SysAdmin.kdbx, the trigger runs and saves the database OK but gives an error when it tries to synchronise to its scripted master, "The composite key is invalid" Make sure that the two databases use the same composite master key. This is required for synchrinization". If I manually synchronise the 2nd or 3rd database to its relevant master file the syncronisation works fine. It is only the trigger that gives the error.

Why?


I realise the KeePass is not really built for this type of usage but it is the best one available without spending a fortune on an AD integrated password management application.

If the syncronisation trigger could work correctly when more than one database is open then it would be perfect.

I am attaching a copy of the triggers I have created.

I need to implement a password management tool in my organisation as a matter of urgency so any help / patch that can be done quickly would be greatly appreciated.

Thanks.

1 Attachments

Discussion

  • Dominik Reichl
    Dominik Reichl
    2013-06-26

    • status: open --> closed
     
  • Dominik Reichl
    Dominik Reichl
    2013-06-26

    • Triggers that run on the 'User interface state updated' and database closing events should as first action disable themselves, perform their actual actions, and re-enable themselves. If this is not done, various unwanted effects may occur, e.g. infinite loops, see
      http://keepass.info/help/kb/trigger_examples.html#infiniteloop

    • Your triggers 'PRNE_* Sync' do not test which database is affected. For example, the trigger 'PRNE_Network Sync' also runs for the 'Desktop' database. In order to avoid this, you could e.g. add a trigger condition 'String' that tests the string '{DB_NAME}' for equivalence with '%USERNAME%_PRNE_Network.kdbx'.

    Best regards,
    Dominik