On 06Feb25 12:41+0100, Christoph Pleger wrote:
To my knowledge, the secret is a binary blob encoded in base64 or sometimes base32. So, yes, it would be possible. Keep in mind to set the default parameters of google-authenticator also in the slapo-otp configs (SHA1, 30s timewindow, etc)
Which db overlay are you going to use? There are two in the openldap-distribution; one in the maintained branch (slapo-otp) and the other one in the contrib/ branch (pw-totp.so)
I am using slapo-otp. In the meanwhile, I managed to make it work with newly generated OTP secrets, but converting secrets from ${HOME}/.google_authenticator failed, I am wondering why, because I used base32 binary from goole-authenticator project to decode the value from .google_authenticator and then base64 to encode again, like this:
-/base32 -D <base32-coded> | base64
Depending on your script, trailing newlines might have snuck in.
No errors were shown while doing this, but after changing OpenLDAP TOTP secret to the result of above command, login was not possible.
My knowledge about slapo-otp is a bit outdated. I remember multiple steps which need to be done and multiple entries need to be created.
The ldap entries you want to bind to with userpassword + 2fa-TOTP need to implement the objectclass oathTOTPUser with attributes oathTOTPToken. The value of the attribute oathTOTPToken points to a DN which implements objectclass oathTOTPToken with attributes oathSecret, oathSecretTime, etc. Also oathTOTPParams need to be implemented there. ... Here, oathsecret would be set to the content of your secret, but as I see in the man: `The shared secret is stored here as raw bytes.` Meaning, not base64. If you add that with ldif oathSecret:: $BASE64_BLOB should work.
Unfortunately, I do not recall if this is all, my testbed is not available any more. I extracted the info to get a running testbed from `slapo-otp(5)` and the sources in file `2.6.3/servers/slapd/overlays/otp.c`. The latter gave me a decent understanding about the OATH-LDAP schema.
When all is set up, the bind call then could look like: ldapwhoami -x -H ... -D uid=user,... -w "${PASSWORD}${TOTPTOKEN}"
${PASSWORD} would be the user password which authenticates against the `userpassword` attribute as usual, immediately followed (no delimiter) by a TOTP verification token of six characters (see oathOTPLength). e.g. "mysecretpassword123456"
I hope this helps a bit,
Best,