Hi to all,
I would like to add the otp-attributes with the following LDIF: --------------- dn: ou=users,dc=example,dc=net changetype: modify add: objectClass objectClass: oathTOTPParams - add: oathOTPLength oathOTPLength: 6 - add: oathHMACAlgorithm oathHMACAlgorithm: 1.2.840.113549.2.11 - add: oathTOTPTimeStepPeriod oathTOTPTimeStepPeriod: 30 - add: oathTOTPTimeStepWindow oathTOTPTimeStepWindow: 3 ---------------
But I'm getting: ----------- modifying entry "ou=users,dc=example,dc=net" ldap_modify: Invalid syntax (21) additional info: oathHMACAlgorithm: value #0 invalid per syntax ----------- If I switch to SHA1: ----------- oathHMACAlgorithm: 1.2.840.113549.2.7 -----------
it works. The manpage is telling me: ----------- oathHMACAlgorithm: <OID> The OID of the hash algorithm to use as defined in RFC 8018. Supported algorithms include SHA1, SHA224, SHA256, SHA384 and SHA512. -----------
and .11 is SHA512. Why is it not working? Do I have to give the OID in a different way?
Stefan
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Stefan Kania wrote:
Hi to all,
I would like to add the otp-attributes with the following LDIF: --------------- dn: ou=users,dc=example,dc=net changetype: modify add: objectClass objectClass: oathTOTPParams - add: oathOTPLength oathOTPLength: 6 - add: oathHMACAlgorithm oathHMACAlgorithm: 1.2.840.113549.2.11 - add: oathTOTPTimeStepPeriod oathTOTPTimeStepPeriod: 30 - add: oathTOTPTimeStepWindow oathTOTPTimeStepWindow: 3 ---------------
But I'm getting: ----------- modifying entry "ou=users,dc=example,dc=net" ldap_modify: Invalid syntax (21) additional info: oathHMACAlgorithm: value #0 invalid per syntax ----------- If I switch to SHA1: ----------- oathHMACAlgorithm: 1.2.840.113549.2.7 -----------
it works. The manpage is telling me: ----------- oathHMACAlgorithm: <OID> The OID of the hash algorithm to use as defined in RFC 8018. Supported algorithms include SHA1, SHA224, SHA256, SHA384 and SHA512. -----------
and .11 is SHA512. Why is it not working? Do I have to give the OID in a different way?
.11 should work. Check to make sure you don't have any trailing whitespace on that line.
Stefan
- -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
On Sat, Apr 19, 2025 at 05:58:20PM +0200, Stefan Kania wrote:
Am 19.04.25 um 17:54 schrieb Howard Chu:
.11 should work. Check to make sure you don't have any trailing whitespace on that line.
I always check my ldif-files with vi ":set list" to show all trailing whitespaces and tabs.
Hi Stefan, are you sure the OID value is pure ASCII, especially when it comes to `.` and numbers? From the error it sounds like the server didn't agree with this assertion, you can also check the slapd debug output with the BER debug level to see what it sees being passed in the modify.
Regards,
Hallo Ondřej,
it was something with any of the dots :-(. I have now rewritten the hole LDIF-File and now it's ok. But what I still don't understand ist that it was working with .7 but not with .11 or any other valide value. I will not investigate the problem any more, it's working now as expected and that's the main thing for me.
But again thank you for your help.
Stefan
Am 23.04.25 um 15:33 schrieb Ondřej Kuzník:
On Sat, Apr 19, 2025 at 05:58:20PM +0200, Stefan Kania wrote:
Am 19.04.25 um 17:54 schrieb Howard Chu:
.11 should work. Check to make sure you don't have any trailing whitespace on that line.
I always check my ldif-files with vi ":set list" to show all trailing whitespaces and tabs.
Hi Stefan, are you sure the OID value is pure ASCII, especially when it comes to `.` and numbers? From the error it sounds like the server didn't agree with this assertion, you can also check the slapd debug output with the BER debug level to see what it sees being passed in the modify.
Regards,
openldap-technical@openldap.org
-
Howard Chu -
Ondřej Kuzník -
Stefan Kania