https://bugs.openldap.org/show_bug.cgi?id=10313
Issue ID: 10313 Summary: 3-way multimaster oathHOTPCounter attribute update code missing Product: OpenLDAP Version: 2.6.6 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: agrru01@gmail.com Target Milestone: ---
I posted on openldap technical mail list and got a response saying I should file a feature request.
I am using a 3-way multimaster syncrepl setup with the slapo-otp module. My problem is that when authenticating with a user using HOTP, the attribute oathHOTPCounter only updates the value on the target ldap instance. This means the other two ldap instances do not get the updated HOTP-counter value and therefore will allow authentication using the same HOTP code.
Interestingly enough, if I manually edit the oathHOTPCounter value it synchronizes with the other masters.
Please see the technical mail list discussion: https://lists.openldap.org/hyperkitty/list/openldap-technical@openldap.org/t...
https://bugs.openldap.org/show_bug.cgi?id=10313
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@openldap.org |ondra@mistotebe.net Keywords|needs_review | Target Milestone|--- |2.6.10
https://bugs.openldap.org/show_bug.cgi?id=10313
--- Comment #1 from Ondřej Kuzník ondra@mistotebe.net --- Hi, on a provider this should work and trying it with the in-tree tests, I'm definitely getting changes passed on on a session. Do you have otp configured on the DB or as a global overlay? If on the DB, can you check you have the right order of overlays (otp after syncrepl, and probably accesslog if present)?
On a read-only consumer this is currently not forwarded as Quanah noted but that doesn't seem to be the situation you describe here, so I'd like to deal with yours first.
https://bugs.openldap.org/show_bug.cgi?id=10313
Ondřej Kuzník ondra@mistotebe.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.6.10 |2.6.11
https://bugs.openldap.org/show_bug.cgi?id=10313
--- Comment #2 from agrru01@gmail.com --- Created attachment 1061 --> https://bugs.openldap.org/attachment.cgi?id=1061&action=edit ldap config
https://bugs.openldap.org/show_bug.cgi?id=10313
--- Comment #3 from agrru01@gmail.com --- Hi, I did use the wrong order of the overlay previously. I corrected the order and did some testing and my problem still persists. The attribute oathHOTPCounter only gets updated on the target ldap. I tested this using "ldapwhoami".
I attached the ldap config I'm using. See if you can find any obvious errors.