On 05Feb25 12:11+0100, Christoph Pleger wrote:
So:
Is it possible to convert the secret from ${HOME}/.google_authenticator to OpenLDAP format?
To my knowledge, the secret is a binary blob encoded in base64 or sometimes base32. So, yes, it would be possible. Keep in mind to set the default parameters of google-authenticator also in the slapo-otp configs (SHA1, 30s timewindow, etc)
Which db overlay are you going to use? There are two in the openldap-distribution; one in the maintained branch (slapo-otp) and the other one in the contrib/ branch (pw-totp.so)
I'm currently using the second module from the contrib branch because we've set up a dedicated TOTP verification slapd that only verifies TOTP after the user has already authenticated with the first factor.
Unfortunately, the slapo-otp module doesn't quite fit our needs, as it requires a password as the first factor and then sends both the password and TOTP token together in one LDAP bind call. This doesn't work for us since our first factor is SSH public key authentication.
I did want to mention that there's a pending feature request that would allow the maintained module (slapo-otp) to verify TOTP only, which would be a huge help [1]. I thought I'd bring it up here in case any OpenLDAP developers might be willing to take another look :)
1: https://bugs.openldap.org/show_bug.cgi?id=10169
Happy to hear any updates how you succeeded.
Cheers,