Stefan Kania wrote:
Hi to all,
I'm still testing TOPT with OpenLDAP 2.5. I got TOTP1 running. So a user with an OTP can use the six-digit number from googleauthenticator (or freeOTP+) to authenticate while using ldapsearch. Then I switch to TOTP1ANDPW I generate a secretkey for the TOTP-part of userPassword. Then I create a password with "slappasswd" and put both TOTP1|password together in userPassword after decoding base64 I saw what I expected:
dn: cn=u1,ou=users,dc=example,dc=net objectClass: posixAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: autoCAuser loginShell: /bin/bash homeDirectory: /home/u1 uid: u1 uidNumber: 10010 gidNumber: 10000 sn: u givenName: 1 cn: u1 userPassword:: e1RPVFAxQU5EUFd9TUpBVk1UM0tNUlVXSVNDUEtKWEhJWVNaR1kzRE80Q0x8e1N TSEF9RWlCcVIwUGR4SUluMSswZTNqRSs1MXlwb1p6dTFKVUc=
echo "e1RPVFAxQU5EUFd9TUpBVk1UM0tNUlVXSVNDUEtKWEhJWVNaR1kzRE80Q0x8e1NTSEF9RWlCcVIwUGR4SUluMSswZTNqRSs1MXlwb1p6dTFKVUc=" | base64 -d {TOTP1ANDPW}MJAVMT3KMRUWISCPKJXHIYSZGY3DO4CL|{SSHA}EiBqR0PdxIIn1+0e3jE+51ypoZzu1JUG
I then try to authenticate using ldapsearch with: 123456secret where 123456 is the six-digit key from googleauthenticator and "secret" is the password. But I always got an error 49 :-( I read this to set up the password: https://git.openldap.org/ondra/openldap/-/tree/dfe1f6494d69a885477e854944a6a...
Any hint? Anyone who got this running?
The correct order is <password><otp> so you should have used "secret123456" with ldapsearch.