Am Sat, 7 Nov 2015 13:29:25 +0100 schrieb Dieter Klünter dieter@dkluenter.de:
Am Sat, 7 Nov 2015 01:04:57 +0000 schrieb Howard Chu hyc@symas.com:
Dieter Klünter wrote:
Am Fri, 6 Nov 2015 08:55:34 +0000 schrieb Emmanuel Dreyfus manu@netbsd.org:
Hello
It seems OTP was broken at some time, I wonder if it is just me (and why), or if it is more genral. I have a user with: cmusaslsecretOTP: sha1 0499 se2124 xxxxxxxxxxxxxxxx 00000000
slapd.conf contains: access to dn.regex="^uid=.+,dc=example,dc=net$" attrs=cmusaslsecretOTP by anonymous auth stop by self write stop by * none stop
I try: $ ldapwhomai -Y OTP -X dn:${user_dn} SASL/OTP authentication started (delay) ldap_sasl_interactive_bind_s: Server is unavailable (52) additional info: SASL(-8): transient failure (e.g., weak key): simultaneous OTP authentications not permitted
This is: OpenLDAP 2.4.42 Cyrusl SASL 2.1.26
If you are referring to sasl-OTP, which requires opiekey, this is still working,
https://sys4.de/de/blog/2014/04/15/one-time-password-system-network-based-se...
On the other hand, there is a Time based OTP module in contrib/slapd-modules/passwd/otpt which is broken, although i use google authenticator and alternatively sophos authenticator.
The passwd/totp module is a slapd password-hash mechanism and has nothing to do with SASL. It also works perfectly with google authenticator, what makes you say it's broken?
I am not claiming the totp module to be a SASL Mechanism.
- compiled pw-totp
- installed pw-totp.la and pw-totp.so.0.0.0
- included pw-totp.la in slapd.conf
- added password-hash {TOTP1}
4.1 forgot to mention that i have added a overlay declaration overlay totp which happens to be the first overlay, followed by memberOf
- created a user
dn: cn=test1 example,o=Test sn: example objectClass: inetOrgPerson cn: test1 example givenName: test1
- added credentials by ldappasswd userPassword:: e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09
- added credentials to google Authenticator and sophos authenticator
- run ./ldapwhoami -D "cn=test1 example,o=Test" -W -H ldap://localhost:9007
- entered the numberstring from a authenticator
- result: ldap_bind: Invalid credentials (49)
You may test yourself, based on my credentials.