Hello
Anyone has experience using SASL OTP with OpenLDAP?
Here is what I understood so far:
- OTP stuff is stored in SASL auxprop cmusaslsecretOTP, which can be stored in sasldb or in LDAP.
- If OpenLDAP finds a cmusaslsecretOTP attribute for a user, and if the OTP plugin is installed both on the client and the server, then the OTP challenge is presented when requesting the OTP method. That leaves me with two problems: how to set cmusaslsecretOTP in LDAP?
- if I use salspasswd2, it will store cmusaslsecretOTP in sasldb. I can copy paste it to the LDAP directory, which is not very satisfying.
- If I install the Cyrus ldapDB plugin and add a sasl2/salspasswd.conf, it seems I can tell salspasswd2 to write to the directory: ldapdb_uri: ldaps://ldap.example.com
I have not fully investigated, but it seems the thing cannot prompt for credentials: DN/password must be stored in salspasswd.conf, which makes multiuser utilization troublesome.
- salspasswd2 calls sasl_setpass(), and a look at OpenLDAP sources shows that passwd_extop()/slap_sasl_setpass() does the same. That suggests it is possible to have slapd doing the thing, but how does it works? In passwd_extop(), slap_sasl_setpass() will only be called if op-o_bd is NULL. In what situation does it happen?
- And my last problem is to generate OTP. setkey(1) does not seems to produce something acceptable by SASL OTP. I have to investigate further.