https://bugs.openldap.org/show_bug.cgi?id=10313
Issue ID: 10313 Summary: 3-way multimaster oathHOTPCounter attribute update code missing Product: OpenLDAP Version: 2.6.6 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: agrru01@gmail.com Target Milestone: ---
I posted on openldap technical mail list and got a response saying I should file a feature request.
I am using a 3-way multimaster syncrepl setup with the slapo-otp module. My problem is that when authenticating with a user using HOTP, the attribute oathHOTPCounter only updates the value on the target ldap instance. This means the other two ldap instances do not get the updated HOTP-counter value and therefore will allow authentication using the same HOTP code.
Interestingly enough, if I manually edit the oathHOTPCounter value it synchronizes with the other masters.
Please see the technical mail list discussion: https://lists.openldap.org/hyperkitty/list/openldap-technical@openldap.org/t...
https://bugs.openldap.org/show_bug.cgi?id=10313
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@openldap.org |ondra@mistotebe.net Keywords|needs_review | Target Milestone|--- |2.6.10
https://bugs.openldap.org/show_bug.cgi?id=10313
--- Comment #1 from Ondřej Kuzník ondra@mistotebe.net --- Hi, on a provider this should work and trying it with the in-tree tests, I'm definitely getting changes passed on on a session. Do you have otp configured on the DB or as a global overlay? If on the DB, can you check you have the right order of overlays (otp after syncrepl, and probably accesslog if present)?
On a read-only consumer this is currently not forwarded as Quanah noted but that doesn't seem to be the situation you describe here, so I'd like to deal with yours first.
https://bugs.openldap.org/show_bug.cgi?id=10313
Ondřej Kuzník ondra@mistotebe.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.6.10 |2.6.11
https://bugs.openldap.org/show_bug.cgi?id=10313
--- Comment #2 from agrru01@gmail.com --- Created attachment 1061 --> https://bugs.openldap.org/attachment.cgi?id=1061&action=edit ldap config
https://bugs.openldap.org/show_bug.cgi?id=10313
--- Comment #3 from agrru01@gmail.com --- Hi, I did use the wrong order of the overlay previously. I corrected the order and did some testing and my problem still persists. The attribute oathHOTPCounter only gets updated on the target ldap. I tested this using "ldapwhoami".
I attached the ldap config I'm using. See if you can find any obvious errors.
https://bugs.openldap.org/show_bug.cgi?id=10313
Ondřej Kuzník ondra@mistotebe.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Ever confirmed|0 |1 Status|UNCONFIRMED |IN_PROGRESS
--- Comment #4 from Ondřej Kuzník ondra@mistotebe.net --- https://git.openldap.org/openldap/openldap/-/merge_requests/794
To enable chaining we need to prevent token reuse/reverts in a more reliable way. Being much stricter, this can make existing deployments behave differently. As such, these changes might not be LTS compatible and postponing towards 2.7 sounds like a better idea. Rest of that MR should still reach 2.6 on the other hand.
https://bugs.openldap.org/show_bug.cgi?id=10313
Ondřej Kuzník ondra@mistotebe.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |needs_review
https://bugs.openldap.org/show_bug.cgi?id=10313
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords|needs_review | Target Milestone|2.6.11 |2.7.0
https://bugs.openldap.org/show_bug.cgi?id=10313
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |TEST Status|IN_PROGRESS |RESOLVED
--- Comment #5 from Quanah Gibson-Mount quanah@openldap.org --- commit 6a28e8919d6c94910666f8a97ae7166ea9da2437 Author: Ondřej Kuzník ondra@mistotebe.net Date: Wed Oct 8 17:11:30 2025 +0100
ITS#10313 Allow counter mods to be chained
commit e0cca3fcab80fe3f25f79bb39c631b229b5d6e8a Author: Ondřej Kuzník ondra@mistotebe.net Date: Wed Oct 8 17:10:06 2025 +0100
ITS#10313 Tighten counter tracking modification
-
openldap-its@openldap.org