Emmanuel Dreyfus manu@netbsd.org wrote:
$ ldapwhomai -Y OTP -X dn:${user_dn} SASL/OTP authentication started (delay) ldap_sasl_interactive_bind_s: Server is unavailable (52) additional info: SASL(-8): transient failure (e.g., weak key): simultaneous OTP authentications not permitted
I made some progress, with a fix in cyrus SASL (I also include my added SHA2 support just in case someone has a comment on it).
This was a signedness problem in the timeout parameter: readed as signed on a machines with 32 bits time_t, it get always in a far future. Scanning it as unsigned fixes the problem.
--- plugins/otp.c.orig 2012-10-12 16:05:48.000000000 +0200 +++ plugins/otp.c 2015-11-07 15:19:43.000000000 +0100 @@ -92,8 +92,12 @@ static algorithm_option_t algorithm_options[] = { {"md4", 0, "md4"}, {"md5", 0, "md5"}, {"sha1", 4, "sha1"}, + {"sha224", 4, "sha224"}, + {"sha256", 4, "sha256"}, + {"sha384", 4, "sha384"}, + {"sha512", 4, "sha512"}, {NULL, 0, NULL} };
/* Convert the binary data into ASCII hex */ @@ -675,9 +679,9 @@ SETERROR(utils, "OTP secret too short"); return SASL_FAIL; }
- sscanf(secret, "%s\t%04d\t%s\t%s\t%020ld", + sscanf(secret, "%s\t%04d\t%s\t%s\t%020lu", alg, seq, seed, buf, timeout);
hex2bin(buf, otp, OTP_HASH_SIZE);