Hello!
I am using a 3-way multimaster syncrepl setup with the slapo-otp module. My problem is that when authenticating with a user using HOTP, the attribute oathHOTPCounter only updates the value on the target ldap instance. This means the other two ldap instances do not get the updated HOTP-counter value and therefore will allow authentication using the same HOTP code.
Interestingly enough, if I manually edit the oathHOTPCounter value it synchronizes with the other masters.
Any idea what the problem could be?
--On Friday, February 21, 2025 11:36 AM +0000 agrru01@gmail.com wrote:
Hello!
I am using a 3-way multimaster syncrepl setup with the slapo-otp module. My problem is that when authenticating with a user using HOTP, the attribute oathHOTPCounter only updates the value on the target ldap instance. This means the other two ldap instances do not get the updated HOTP-counter value and therefore will allow authentication using the same HOTP code.
Interestingly enough, if I manually edit the oathHOTPCounter value it synchronizes with the other masters.
Any idea what the problem could be?
Yes, it lacks the necessary update code to function in an MMR environment. It needs something similar to slapo-ppolicy's update functionality:
ppolicy_forward_updates Specify that policy state changes that result from Bind operations (such as recording failures, lockout, etc.) on a consumer should be forwarded to a provider instead of being written directly into the consumer's local database. This setting is only useful on a replication consumer, and also requires the updateref setting and chain overlay to be appropriately configured.
I.e., it lacks but needs a totp_forward_updates parameter.
I suggest filing a feature request on this at https://bugs.openldap.org
--Quanah
openldap-technical@openldap.org