On 6/17/21 9:26 PM, Quanah Gibson-Mount wrote:
--On Thursday, June 17, 2021 9:34 PM +0200 Stefan Kania stefan@kania-online.de wrote:
I'm still testing TOPT with OpenLDAP 2.5. I got TOTP1 running. So a user with an OTP can use the six-digit number from googleauthenticator (or freeOTP+) to authenticate while using ldapsearch. Then I switch to TOTP1ANDPW I generate a secretkey for the TOTP-part of userPassword. Then I create a password with "slappasswd" and put both TOTP1|password together in userPassword after decoding base64 I saw what I expected:
Again, I have to ask why you simply aren't using the OTP module that ships with 2.5 and whatever your favorite password hashing scheme is (I advise ARGON2) to do this.
I agree with Quanah. There are good reasons why the schema used by slapo-otp has a separate attribute 'oathSecret' holding the token's shared secret.
Using the old totp module is a waste of time.
Ciao, Michael.