Hello,
I try to set up TOTP1 and TOTP1ANDPW as passworthash. I use Debian 10
with Kernel 5.9 from the backports. As OpenLDAP I use 2.5.5. I set up
everything via Ansible. My configure-options are:
-------------
./configure --with-cyrus-sasl --with-tls=openssl --enable-overlays=mod
--enable-backends=mod --disable-perl --disable-ndb --enable-crypt
--enable-modules --enable-dynamic --enable-syslog --enable-debug
--enable-local --enable-spasswd --disable-sq l
--prefix=/opt/openldap-current
-------------
In addition I build:
------------
/opt/openldap-current/contrib/slapd-modules/passwd/sha2
/opt/openldap-current/contrib/slapd-modules/passwd/pbkdf2
/opt/openldap-current/contrib/slapd-modules/passwd/totp/
------------
"make test" is runnning without any error.
The setup is running without any error, here my cn=config:
------------
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /opt/openldap-current/var/run/slapd.args
olcLogLevel: sync
olcLogLevel: stats
olcLogLevel: stats
olcPidFile: /opt/openldap-current/var/run/slapd.pid
olcToolThreads: 1
olcTLSCertificateFile:
/opt/openldap-current/etc/my_certificates/ldap25-p01-ce
rt.pem
olcTLSCertificateKeyFile:
/opt/openldap-current/etc/my_certificates/ldap25-p01
-key.pem
olcTLSCACertificateFile:
/opt/openldap-current/etc/my_certificates/cacert.pem
olcPasswordHash: {TOTP1}
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath:
/opt/openldap-current/libexec/openldap:/usr/local/libexec/openl
dap
olcModuleLoad: {0}back_mdb
olcModuleLoad: {1}back_monitor
olcModuleLoad: {2}pw-totp.la
olcModuleLoad: {3}autoca.la
... schema....
dn: olcBackend={0}mdb,cn=config
objectClass: olcBackendConfig
olcBackend: {0}mdb
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=externa
l,cn=auth manage by
dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=ex
ternal,cn=auth manage by * break
olcAccess: {1}to dn="" by * read
olcAccess: {2}to dn.base="cn=subschema" by * read
olcSizeLimit: 500
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=externa
l,cn=auth manage by
dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=ex
ternal,cn=auth manage by
dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net
write by * break
olcRootDN: cn=admin,cn=config
olcRootPW:
dn: olcDatabase={1}monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to dn.subtree="cn=monitor" by dn.exact=cn=admin,cn=config
read
by dn.exact=cn=admin,dc=example,dc=net read
dn: olcDatabase={2}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcmdbConfig
olcDatabase: {2}mdb
olcDbDirectory: /opt/openldap-current/var/lib/ldap
olcSuffix: dc=example,dc=net
olcAccess: {0} to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth manage by
dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=e
xternal,cn=auth manage by
dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net
write by dn.exact=uid=repl-user,ou=users,dc=example,dc=net read by *
break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=subschema" by * read
olcAccess: {3} to attrs=userPassword by anonymous auth by self write by
* non
e
olcLimits: {0} dn.exact="uid=repl-user,ou=users,dc=example,dc=net"
time=unl
imited size=unlimited
olcLimits: {1} dn.exact="uid=ldap-admin,ou=users,dc=example,dc=net"
time=unlim
ited size=unlimited
olcRootDN: cn=admin,dc=example,dc=net
olcRootPW: {SSHA}D6GKFhWChzpTnTmsxLVqJqTnFm+8fr3K
olcSizeLimit: unlimited
olcTimeLimit: unlimited
olcDbCheckpoint: 512 30
olcDbIndex: default eq
olcDbIndex: objectClass
olcDbIndex: entryUUID
olcDbIndex: entryCSN
olcDbIndex: cn pres,eq,sub
olcDbIndex: uid pres,eq,sub
olcDbIndex: mail pres,eq,sub
olcDbIndex: sn pres,eq,sub
olcDbIndex: description pres,eq,sub
olcDbIndex: title pres,eq,sub
olcDbIndex: givenName pres,eq,sub
olcDbMaxSize: 85899345920
dn: olcOverlay={0}totp,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
olcOverlay: {0}totp
dn: olcOverlay={1}autoca,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAutoCAConfig
olcOverlay: {1}autoca
olcAutoCAuserKeybits: 4096
olcAutoCAserverKeybits: 4096
olcAutoCAKeybits: 4096
------------
After a few minutes or if I restart slapd I get the following error-message:
---------------------
Jun 05 15:24:52 ldap25-p01 slapd[16210]: @(#) $OpenLDAP: slapd 2.5.5
(Jun 5 2021 14:07:21) $
root@ldap25-p01:/opt/openldap-2.5.5/servers/slapd
Jun 05 15:24:52 ldap25-p01 slapd[16210]: olcPasswordHash: value #0:
<olcPasswordHash> scheme not available ({TOTP1})
Jun 05 15:24:52 ldap25-p01 slapd[16210]: olcPasswordHash: value #0:
<olcPasswordHash> no valid hashes found
Jun 05 15:24:52 ldap25-p01 slapd[16210]: config error processing
cn=config: <olcPasswordHash> no valid hashes found
---------------------
I used the documentation from symas for configuring TOTP. What's wrong
and why is slapd starting after configuration but chrashes when I
restart slapd?
Stefan