Hello,
I try to set up TOTP1 and TOTP1ANDPW as passworthash. I use Debian 10 with Kernel 5.9 from the backports. As OpenLDAP I use 2.5.5. I set up everything via Ansible. My configure-options are: ------------- ./configure --with-cyrus-sasl --with-tls=openssl --enable-overlays=mod --enable-backends=mod --disable-perl --disable-ndb --enable-crypt --enable-modules --enable-dynamic --enable-syslog --enable-debug --enable-local --enable-spasswd --disable-sq l --prefix=/opt/openldap-current -------------
In addition I build: ------------ /opt/openldap-current/contrib/slapd-modules/passwd/sha2 /opt/openldap-current/contrib/slapd-modules/passwd/pbkdf2 /opt/openldap-current/contrib/slapd-modules/passwd/totp/ ------------
"make test" is runnning without any error.
The setup is running without any error, here my cn=config: ------------ dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /opt/openldap-current/var/run/slapd.args olcLogLevel: sync olcLogLevel: stats olcLogLevel: stats olcPidFile: /opt/openldap-current/var/run/slapd.pid olcToolThreads: 1 olcTLSCertificateFile: /opt/openldap-current/etc/my_certificates/ldap25-p01-ce rt.pem olcTLSCertificateKeyFile: /opt/openldap-current/etc/my_certificates/ldap25-p01 -key.pem olcTLSCACertificateFile: /opt/openldap-current/etc/my_certificates/cacert.pem olcPasswordHash: {TOTP1}
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /opt/openldap-current/libexec/openldap:/usr/local/libexec/openl dap olcModuleLoad: {0}back_mdb olcModuleLoad: {1}back_monitor olcModuleLoad: {2}pw-totp.la olcModuleLoad: {3}autoca.la
... schema....
dn: olcBackend={0}mdb,cn=config objectClass: olcBackendConfig olcBackend: {0}mdb
dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=externa l,cn=auth manage by dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=ex ternal,cn=auth manage by * break olcAccess: {1}to dn="" by * read olcAccess: {2}to dn.base="cn=subschema" by * read olcSizeLimit: 500
dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=externa l,cn=auth manage by dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=ex ternal,cn=auth manage by dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net write by * break olcRootDN: cn=admin,cn=config olcRootPW:
dn: olcDatabase={1}monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: {1}monitor olcAccess: {0}to dn.subtree="cn=monitor" by dn.exact=cn=admin,cn=config read by dn.exact=cn=admin,dc=example,dc=net read
dn: olcDatabase={2}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcmdbConfig olcDatabase: {2}mdb olcDbDirectory: /opt/openldap-current/var/lib/ldap olcSuffix: dc=example,dc=net olcAccess: {0} to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth manage by dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=e xternal,cn=auth manage by dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net write by dn.exact=uid=repl-user,ou=users,dc=example,dc=net read by * break olcAccess: {1}to dn.exact="" by * read olcAccess: {2}to dn.base="cn=subschema" by * read olcAccess: {3} to attrs=userPassword by anonymous auth by self write by * non e olcLimits: {0} dn.exact="uid=repl-user,ou=users,dc=example,dc=net" time=unl imited size=unlimited olcLimits: {1} dn.exact="uid=ldap-admin,ou=users,dc=example,dc=net" time=unlim ited size=unlimited olcRootDN: cn=admin,dc=example,dc=net olcRootPW: {SSHA}D6GKFhWChzpTnTmsxLVqJqTnFm+8fr3K olcSizeLimit: unlimited olcTimeLimit: unlimited olcDbCheckpoint: 512 30 olcDbIndex: default eq olcDbIndex: objectClass olcDbIndex: entryUUID olcDbIndex: entryCSN olcDbIndex: cn pres,eq,sub olcDbIndex: uid pres,eq,sub olcDbIndex: mail pres,eq,sub olcDbIndex: sn pres,eq,sub olcDbIndex: description pres,eq,sub olcDbIndex: title pres,eq,sub olcDbIndex: givenName pres,eq,sub olcDbMaxSize: 85899345920
dn: olcOverlay={0}totp,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig olcOverlay: {0}totp
dn: olcOverlay={1}autoca,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcAutoCAConfig olcOverlay: {1}autoca olcAutoCAuserKeybits: 4096 olcAutoCAserverKeybits: 4096 olcAutoCAKeybits: 4096 ------------
After a few minutes or if I restart slapd I get the following error-message: --------------------- Jun 05 15:24:52 ldap25-p01 slapd[16210]: @(#) $OpenLDAP: slapd 2.5.5 (Jun 5 2021 14:07:21) $
root@ldap25-p01:/opt/openldap-2.5.5/servers/slapd Jun 05 15:24:52 ldap25-p01 slapd[16210]: olcPasswordHash: value #0: <olcPasswordHash> scheme not available ({TOTP1}) Jun 05 15:24:52 ldap25-p01 slapd[16210]: olcPasswordHash: value #0: <olcPasswordHash> no valid hashes found Jun 05 15:24:52 ldap25-p01 slapd[16210]: config error processing cn=config: <olcPasswordHash> no valid hashes found --------------------- I used the documentation from symas for configuring TOTP. What's wrong and why is slapd starting after configuration but chrashes when I restart slapd?
Stefan
--On Saturday, June 5, 2021 4:27 PM +0200 Stefan Kania stefan@kania-online.de wrote:
Hello,
I try to set up TOTP1 and TOTP1ANDPW as passworthash. I use Debian 10 with Kernel 5.9 from the backports. As OpenLDAP I use 2.5.5. I set up everything via Ansible. My configure-options are:
root@ldap25-p01:/opt/openldap-2.5.5/servers/slapd Jun 05 15:24:52 ldap25-p01 slapd[16210]: olcPasswordHash: value #0: <olcPasswordHash> scheme not available ({TOTP1}) Jun 05 15:24:52 ldap25-p01 slapd[16210]: olcPasswordHash: value #0: <olcPasswordHash> no valid hashes found Jun 05 15:24:52 ldap25-p01 slapd[16210]: config error processing cn=config: <olcPasswordHash> no valid hashes found
Hm, I've only ever used the OTP module that ships as a core part of OpenLDAP 2.5:
Personally I'd combine that with ARGON2 password hashes for secure password hash storage + 2 Factor auth.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Hi Quanah,
Am 05.06.21 um 22:11 schrieb Quanah Gibson-Mount:
--On Saturday, June 5, 2021 4:27 PM +0200 Stefan Kania stefan@kania-online.de wrote:
Hello,
I try to set up TOTP1 and TOTP1ANDPW as passworthash. I use Debian 10 with Kernel 5.9 from the backports. As OpenLDAP I use 2.5.5. I set up everything via Ansible. My configure-options are:
root@ldap25-p01:/opt/openldap-2.5.5/servers/slapd Jun 05 15:24:52 ldap25-p01 slapd[16210]: olcPasswordHash: value #0: <olcPasswordHash> scheme not available ({TOTP1}) Jun 05 15:24:52 ldap25-p01 slapd[16210]: olcPasswordHash: value #0: <olcPasswordHash> no valid hashes found Jun 05 15:24:52 ldap25-p01 slapd[16210]: config error processing cn=config: <olcPasswordHash> no valid hashes found
Hm, I've only ever used the OTP module that ships as a core part of OpenLDAP 2.5:
Personally I'd combine that with ARGON2 password hashes for secure password hash storage + 2 Factor auth.
I have not tried this one yet, I will give it a try next week.
Stefan
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Hi Quanah
Am 05.06.21 um 22:11 schrieb Quanah Gibson-Mount:
Personally I'd combine that with ARGON2 password hashes for secure password hash storage + 2 Factor auth.
ARGON2 is not part of the actual version 2.5.5 I only find the sources on git.openldap.org. Will it ever become part of the OpenLDAP 2.5 version? In contrib/slapd-modules/passwd I only see pdkdf2, totp and sha2.
Stefan
On 6/7/21 10:23 AM, Stefan Kania wrote:
ARGON2 is not part of the actual version 2.5.5 I only find the sources on git.openldap.org.
Not true.
It's in the main code now:
$ tar tzf openldap-2.5.5.tgz | grep argon openldap-2.5.5/tests/scripts/test083-argon2 openldap-2.5.5/doc/man/man5/slappw-argon2.5 openldap-2.5.5/servers/slapd/pwmods/argon2.c openldap-2.5.5/servers/slapd/pwmods/README.argon2
My openSUSE package:
$ rpm -ql openldap-ms | grep argon /opt/openldap-ms/lib64/openldap/argon2-2.5.so.0 /opt/openldap-ms/lib64/openldap/argon2-2.5.so.0.1.0 /opt/openldap-ms/lib64/openldap/argon2.la /opt/openldap-ms/lib64/openldap/argon2.so /opt/openldap-ms/share/man/man5/slappw-argon2.5
How do you build your packages?
Ciao, Michael.
Hi Michael,
ok, I found the source files in server/slapd/pwmods. I was always searching in contrib/slapd-modules/passwd. I normally only user the debian-packages, but I want to start with 2.5 as early as possible so I started to build 2.5 from source. Here is my ./configure-line: ------------- ./configure --with-cyrus-sasl --with-tls=openssl --enable-overlays=mod --enable-backends=mod --disable-perl --disable-ndb --enable-crypt --enable-modules --enable-dynamic --enable-syslog --enable-debug --enable-local --enable-spasswd --disable-sql --prefix=/opt/openldap-current -------------
After ./configure I do: ---------- make depend make make install
cd /opt/openldap-current/contrib/slapd-modules/passwd/totp/ make make install
cd /opt/openldap-current/contrib/slapd-modules/passwd/sha2 make make install
cd /opt/openldap-current/contrib/slapd-modules/passwd/pbkdf2 make make install ---------- All the steps are part of an Ansible role. After building OpenLDAP a find /opt/openldap-current/ -name "*argon*" only lists: ------------- openldap-current/share/man/man5/slappw-argon2.5 openldap-current/servers/slapd/pwmods/argon2.c openldap-current/servers/slapd/pwmods/README.argon2 openldap-current/doc/man/man5/slappw-argon2.5.tmp openldap-current/doc/man/man5/slappw-argon2.5 openldap-current/tests/scripts/test083-argon2 -------------
Because of your hint with the path slapd/pwmods I read "./configure --help" I added "--enable-argon2". Now I find the missing files :-). Did I miss anything else in my configure-line?
Thank's
Stefan
Am 07.06.21 um 11:29 schrieb Michael Ströder:
On 6/7/21 10:23 AM, Stefan Kania wrote:
ARGON2 is not part of the actual version 2.5.5 I only find the sources on git.openldap.org.
Not true.
It's in the main code now:
$ tar tzf openldap-2.5.5.tgz | grep argon openldap-2.5.5/tests/scripts/test083-argon2 openldap-2.5.5/doc/man/man5/slappw-argon2.5 openldap-2.5.5/servers/slapd/pwmods/argon2.c openldap-2.5.5/servers/slapd/pwmods/README.argon2
My openSUSE package:
$ rpm -ql openldap-ms | grep argon /opt/openldap-ms/lib64/openldap/argon2-2.5.so.0 /opt/openldap-ms/lib64/openldap/argon2-2.5.so.0.1.0 /opt/openldap-ms/lib64/openldap/argon2.la /opt/openldap-ms/lib64/openldap/argon2.so /opt/openldap-ms/share/man/man5/slappw-argon2.5
How do you build your packages?
Ciao, Michael.
On 6/7/21 2:31 PM, Stefan Kania wrote:
ok, I found the source files in server/slapd/pwmods. I was always searching in contrib/slapd-modules/passwd. I normally only user the debian-packages, but I want to start with 2.5 as early as possible so I started to build 2.5 from source. Here is my ./configure-line:
./configure --with-cyrus-sasl --with-tls=openssl --enable-overlays=mod --enable-backends=mod --disable-perl --disable-ndb --enable-crypt --enable-modules --enable-dynamic --enable-syslog --enable-debug --enable-local --enable-spasswd --disable-sql --prefix=/opt/openldap-current
To build with libargon2 (which supports all ARGON2 arguments):
--enable-argon2 --with-argon2=libargon2
Of course this requires build files of libargon2 to be installed.
Alternatively you could use libsodium which does not support ARGON2 parameter p>1 though.
See also the .spec file for my openSUSE/SLE packages:
https://build.opensuse.org/package/view_file/home:stroeder:openldap25/openld...
Ciao, Michael.
Am 07.06.21 um 15:29 schrieb Michael Ströder:
To build with libargon2 (which supports all ARGON2 arguments):
--enable-argon2 --with-argon2=libargon2
Now it's compiling but still the same error :-(
Jun 07 15:37:24 ldap25-p02 slapd[8154]: olcPasswordHash: value #0: <olcPasswordHash> scheme not available ({ARGON2})
Jun 07 15:37:24 ldap25-p02 slapd[8154]: olcPasswordHash: value #0: <olcPasswordHash> no valid hashes found
Jun 07 15:37:24 ldap25-p02 slapd[8154]: config error processing cn=config: <olcPasswordHash> no valid hashes found
Jun 07 15:37:24 ldap25-p02 slapd[8154]: DIGEST-MD5 common mech free Jun 07 15:37:24 ldap25-p02 slapd[8154]: DIGEST-MD5 common mech free
On 6/7/21 3:40 PM, Stefan Kania wrote:
Am 07.06.21 um 15:29 schrieb Michael Ströder:
To build with libargon2 (which supports all ARGON2 arguments):
--enable-argon2 --with-argon2=libargon2
Now it's compiling but still the same error :-(
Jun 07 15:37:24 ldap25-p02 slapd[8154]: olcPasswordHash: value #0: <olcPasswordHash> scheme not available ({ARGON2})
I'm not using writeable cn=config. cn=config is always read-only on my system (no -F argument) only used for monitoring with slapdcheck.
FWIW it works for me with 2.5.5 and slapd.conf like this:
moduleload argon2 m=4096 p=3 t=4 password-hash {ARGON2}
Fun fact: There is no olcPasswordHash attribute in cn=config.
BTW: Note that choosing ARGON2 parameters is not trivial:
https://openldap.org/hyperkitty/list/openldap-technical@openldap.org/message...
Ciao, Michael.
Am 07.06.21 um 16:35 schrieb Michael Ströder:
On 6/7/21 3:40 PM, Stefan Kania wrote:
Am 07.06.21 um 15:29 schrieb Michael Ströder:
To build with libargon2 (which supports all ARGON2 arguments):
--enable-argon2 --with-argon2=libargon2
Now it's compiling but still the same error :-(
Jun 07 15:37:24 ldap25-p02 slapd[8154]: olcPasswordHash: value #0: <olcPasswordHash> scheme not available ({ARGON2})
I'm not using writeable cn=config. cn=config is always read-only on my system (no -F argument) only used for monitoring with slapdcheck.
FWIW it works for me with 2.5.5 and slapd.conf like this:
moduleload argon2 m=4096 p=3 t=4 password-hash {ARGON2}
I will try it with slapd.conf
Fun fact: There is no olcPasswordHash attribute in cn=config.
I tried it with "olcPassworHash {CRYPT}", just to check if I have a typo or something like that. And that is working. slapd starts I can create passwords everything is fine. As soon as I try one of the other {ARGON2} or {TOTP1}... slapd crashes, so the attribute is valid but I think I missing something, but I don't know what.
BTW: Note that choosing ARGON2 parameters is not trivial:
https://openldap.org/hyperkitty/list/openldap-technical@openldap.org/message...
The link gives me a nice 404-page
Ciao, Michael.
Stefan
On 6/7/21 5:15 PM, Stefan Kania wrote:
Am 07.06.21 um 16:35 schrieb Michael Ströder:
BTW: Note that choosing ARGON2 parameters is not trivial:
https://openldap.org/hyperkitty/list/openldap-technical@openldap.org/message...
The link gives me a nice 404-page
https://lists.openldap.org/hyperkitty/list/openldap-technical@openldap.org/m...
Ciao, Michael.
--On Monday, June 7, 2021 4:40 PM +0200 Stefan Kania stefan@kania-online.de wrote:
Am 07.06.21 um 15:29 schrieb Michael Ströder:
To build with libargon2 (which supports all ARGON2 arguments):
--enable-argon2 --with-argon2=libargon2
Now it's compiling but still the same error :-(
I suggest examining test083 closely, as it uses cn=config to set up and configure ARGON2 with cn=config.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Am 07.06.21 um 17:18 schrieb Quanah Gibson-Mount:
--On Monday, June 7, 2021 4:40 PM +0200 Stefan Kania stefan@kania-online.de wrote:
Am 07.06.21 um 15:29 schrieb Michael Ströder:
To build with libargon2 (which supports all ARGON2 arguments):
--enable-argon2 --with-argon2=libargon2
Now it's compiling but still the same error :-(
I suggest examining test083 closely, as it uses cn=config to set up and configure ARGON2 with cn=config.
looks ok to me: -------------------
Starting test083-argon2 for mdb...
running defines.sh Starting slapd on TCP/IP port 9011... Using ldapsearch to check that slapd is running... Adding basic structure... Testing ldapwhoami as cn=argon2,dc=example,dc=com... dn:cn=argon2,dc=example,dc=com
Test succeeded test083-argon2 completed OK for mdb after 1 seconds.
-------------------
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--On Monday, June 7, 2021 9:03 PM +0200 Stefan Kania stefan@kania-online.de wrote:
looks ok to me:
My point was to examine the generated configuration in the testrun dir, which has a clearly working configuration for the argon2 module, and compare it to what you've done.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Thank's Quanah,
that helped a lot :). My fault was I put the "olcPaswordHash" in "dn: cn=config", but it it must be in {-1}frontend as the result of the test shows: ---------- dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcPasswordHash: {ARGON2} ----------
Now also {TOTP1ANDPW} is working. Thank's a lot. I learned a lot the last days
Stefan
Am 07.06.21 um 20:13 schrieb Quanah Gibson-Mount:
--On Monday, June 7, 2021 9:03 PM +0200 Stefan Kania stefan@kania-online.de wrote:
looks ok to me:
My point was to examine the generated configuration in the testrun dir, which has a clearly working configuration for the argon2 module, and compare it to what you've done.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On 6/7/21 8:37 PM, Stefan Kania wrote:
that helped a lot :). My fault was I put the "olcPaswordHash" in "dn: cn=config", but it it must be in {-1}frontend as the result of the test
Hmmpf! Object class olcGlobal should not allow olcPasswordHash:
https://bugs.openldap.org/show_bug.cgi?id=9575
Ciao, Michael.
Am Sat, 5 Jun 2021 15:27:40 +0200 schrieb Stefan Kania stefan@kania-online.de:
Hello,
I try to set up TOTP1 and TOTP1ANDPW as passworthash. I use Debian 10 with Kernel 5.9 from the backports. As OpenLDAP I use 2.5.5. I set up everything via Ansible. My configure-options are:
./configure --with-cyrus-sasl --with-tls=openssl --enable-overlays=mod --enable-backends=mod --disable-perl --disable-ndb --enable-crypt --enable-modules --enable-dynamic --enable-syslog --enable-debug --enable-local --enable-spasswd --disable-sq l
--prefix=/opt/openldap-current
In addition I build:
/opt/openldap-current/contrib/slapd-modules/passwd/sha2 /opt/openldap-current/contrib/slapd-modules/passwd/pbkdf2 /opt/openldap-current/contrib/slapd-modules/passwd/totp/
"make test" is runnning without any error.
The setup is running without any error, here my cn=config:
dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /opt/openldap-current/var/run/slapd.args olcLogLevel: sync olcLogLevel: stats olcLogLevel: stats olcPidFile: /opt/openldap-current/var/run/slapd.pid olcToolThreads: 1 olcTLSCertificateFile: /opt/openldap-current/etc/my_certificates/ldap25-p01-ce rt.pem olcTLSCertificateKeyFile: /opt/openldap-current/etc/my_certificates/ldap25-p01 -key.pem olcTLSCACertificateFile: /opt/openldap-current/etc/my_certificates/cacert.pem olcPasswordHash: {TOTP1}
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /opt/openldap-current/libexec/openldap:/usr/local/libexec/openl dap olcModuleLoad: {0}back_mdb olcModuleLoad: {1}back_monitor olcModuleLoad: {2}pw-totp.la olcModuleLoad: {3}autoca.la
... schema....
dn: olcBackend={0}mdb,cn=config objectClass: olcBackendConfig olcBackend: {0}mdb
dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=externa l,cn=auth manage by dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=ex ternal,cn=auth manage by * break olcAccess: {1}to dn="" by * read olcAccess: {2}to dn.base="cn=subschema" by * read olcSizeLimit: 500
dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=externa l,cn=auth manage by dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=ex ternal,cn=auth manage by dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net write by * break olcRootDN: cn=admin,cn=config olcRootPW:
dn: olcDatabase={1}monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: {1}monitor olcAccess: {0}to dn.subtree="cn=monitor" by dn.exact=cn=admin,cn=config read by dn.exact=cn=admin,dc=example,dc=net read
dn: olcDatabase={2}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcmdbConfig olcDatabase: {2}mdb olcDbDirectory: /opt/openldap-current/var/lib/ldap olcSuffix: dc=example,dc=net olcAccess: {0} to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth manage by dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=e xternal,cn=auth manage by dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net write by dn.exact=uid=repl-user,ou=users,dc=example,dc=net read by * break olcAccess: {1}to dn.exact="" by * read olcAccess: {2}to dn.base="cn=subschema" by * read olcAccess: {3} to attrs=userPassword by anonymous auth by self write by
- non
e olcLimits: {0} dn.exact="uid=repl-user,ou=users,dc=example,dc=net" time=unl imited size=unlimited olcLimits: {1} dn.exact="uid=ldap-admin,ou=users,dc=example,dc=net" time=unlim ited size=unlimited olcRootDN: cn=admin,dc=example,dc=net olcRootPW: {SSHA}D6GKFhWChzpTnTmsxLVqJqTnFm+8fr3K olcSizeLimit: unlimited olcTimeLimit: unlimited olcDbCheckpoint: 512 30 olcDbIndex: default eq olcDbIndex: objectClass olcDbIndex: entryUUID olcDbIndex: entryCSN olcDbIndex: cn pres,eq,sub olcDbIndex: uid pres,eq,sub olcDbIndex: mail pres,eq,sub olcDbIndex: sn pres,eq,sub olcDbIndex: description pres,eq,sub olcDbIndex: title pres,eq,sub olcDbIndex: givenName pres,eq,sub olcDbMaxSize: 85899345920
dn: olcOverlay={0}totp,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig olcOverlay: {0}totp
dn: olcOverlay={1}autoca,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcAutoCAConfig olcOverlay: {1}autoca olcAutoCAuserKeybits: 4096 olcAutoCAserverKeybits: 4096 olcAutoCAKeybits: 4096
After a few minutes or if I restart slapd I get the following error-message: --------------------- Jun 05 15:24:52 ldap25-p01 slapd[16210]: @(#) $OpenLDAP: slapd 2.5.5 (Jun 5 2021 14:07:21) $
root@ldap25-p01:/opt/openldap-2.5.5/servers/slapd Jun 05 15:24:52 ldap25-p01 slapd[16210]: olcPasswordHash: value #0: <olcPasswordHash> scheme not available ({TOTP1}) Jun 05 15:24:52 ldap25-p01 slapd[16210]: olcPasswordHash: value #0: <olcPasswordHash> no valid hashes found Jun 05 15:24:52 ldap25-p01 slapd[16210]: config error processing cn=config: <olcPasswordHash> no valid hashes found
I used the documentation from symas for configuring TOTP. What's wrong and why is slapd starting after configuration but chrashes when I restart slapd?
Have a look at this blog entry. dated 2015. https://blog.sys4.de/totp-time-based-one-time-password-authentication-en.htm...
-Dieter
Hello Dieter, I think I read everything I could find, also your posting :-). The only thing I did not not set is "security ssf=1" but I think that has nothing to do with my error message. What I don't understand is why can I set the option olcPasswordHash without an error, but as soon as I try to do anything or restart slapd, the slapd chrashes.
Am 06.06.21 um 11:01 schrieb Dieter Klünter:
Am Sat, 5 Jun 2021 15:27:40 +0200 schrieb Stefan Kania stefan@kania-online.de:
Hello,
I try to set up TOTP1 and TOTP1ANDPW as passworthash. I use Debian 10 with Kernel 5.9 from the backports. As OpenLDAP I use 2.5.5. I set up everything via Ansible. My configure-options are:
./configure --with-cyrus-sasl --with-tls=openssl --enable-overlays=mod --enable-backends=mod --disable-perl --disable-ndb --enable-crypt --enable-modules --enable-dynamic --enable-syslog --enable-debug --enable-local --enable-spasswd --disable-sq l
--prefix=/opt/openldap-current
In addition I build:
/opt/openldap-current/contrib/slapd-modules/passwd/sha2 /opt/openldap-current/contrib/slapd-modules/passwd/pbkdf2 /opt/openldap-current/contrib/slapd-modules/passwd/totp/
"make test" is runnning without any error.
The setup is running without any error, here my cn=config:
dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /opt/openldap-current/var/run/slapd.args olcLogLevel: sync olcLogLevel: stats olcLogLevel: stats olcPidFile: /opt/openldap-current/var/run/slapd.pid olcToolThreads: 1 olcTLSCertificateFile: /opt/openldap-current/etc/my_certificates/ldap25-p01-ce rt.pem olcTLSCertificateKeyFile: /opt/openldap-current/etc/my_certificates/ldap25-p01 -key.pem olcTLSCACertificateFile: /opt/openldap-current/etc/my_certificates/cacert.pem olcPasswordHash: {TOTP1}
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /opt/openldap-current/libexec/openldap:/usr/local/libexec/openl dap olcModuleLoad: {0}back_mdb olcModuleLoad: {1}back_monitor olcModuleLoad: {2}pw-totp.la olcModuleLoad: {3}autoca.la
... schema....
dn: olcBackend={0}mdb,cn=config objectClass: olcBackendConfig olcBackend: {0}mdb
dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=externa l,cn=auth manage by dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=ex ternal,cn=auth manage by * break olcAccess: {1}to dn="" by * read olcAccess: {2}to dn.base="cn=subschema" by * read olcSizeLimit: 500
dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=externa l,cn=auth manage by dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=ex ternal,cn=auth manage by dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net write by * break olcRootDN: cn=admin,cn=config olcRootPW:
dn: olcDatabase={1}monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: {1}monitor olcAccess: {0}to dn.subtree="cn=monitor" by dn.exact=cn=admin,cn=config read by dn.exact=cn=admin,dc=example,dc=net read
dn: olcDatabase={2}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcmdbConfig olcDatabase: {2}mdb olcDbDirectory: /opt/openldap-current/var/lib/ldap olcSuffix: dc=example,dc=net olcAccess: {0} to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth manage by dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=e xternal,cn=auth manage by dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net write by dn.exact=uid=repl-user,ou=users,dc=example,dc=net read by * break olcAccess: {1}to dn.exact="" by * read olcAccess: {2}to dn.base="cn=subschema" by * read olcAccess: {3} to attrs=userPassword by anonymous auth by self write by
- non
e olcLimits: {0} dn.exact="uid=repl-user,ou=users,dc=example,dc=net" time=unl imited size=unlimited olcLimits: {1} dn.exact="uid=ldap-admin,ou=users,dc=example,dc=net" time=unlim ited size=unlimited olcRootDN: cn=admin,dc=example,dc=net olcRootPW: {SSHA}D6GKFhWChzpTnTmsxLVqJqTnFm+8fr3K olcSizeLimit: unlimited olcTimeLimit: unlimited olcDbCheckpoint: 512 30 olcDbIndex: default eq olcDbIndex: objectClass olcDbIndex: entryUUID olcDbIndex: entryCSN olcDbIndex: cn pres,eq,sub olcDbIndex: uid pres,eq,sub olcDbIndex: mail pres,eq,sub olcDbIndex: sn pres,eq,sub olcDbIndex: description pres,eq,sub olcDbIndex: title pres,eq,sub olcDbIndex: givenName pres,eq,sub olcDbMaxSize: 85899345920
dn: olcOverlay={0}totp,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig olcOverlay: {0}totp
dn: olcOverlay={1}autoca,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcAutoCAConfig olcOverlay: {1}autoca olcAutoCAuserKeybits: 4096 olcAutoCAserverKeybits: 4096 olcAutoCAKeybits: 4096
After a few minutes or if I restart slapd I get the following error-message: --------------------- Jun 05 15:24:52 ldap25-p01 slapd[16210]: @(#) $OpenLDAP: slapd 2.5.5 (Jun 5 2021 14:07:21) $
root@ldap25-p01:/opt/openldap-2.5.5/servers/slapd Jun 05 15:24:52 ldap25-p01 slapd[16210]: olcPasswordHash: value #0: <olcPasswordHash> scheme not available ({TOTP1}) Jun 05 15:24:52 ldap25-p01 slapd[16210]: olcPasswordHash: value #0: <olcPasswordHash> no valid hashes found Jun 05 15:24:52 ldap25-p01 slapd[16210]: config error processing cn=config: <olcPasswordHash> no valid hashes found
I used the documentation from symas for configuring TOTP. What's wrong and why is slapd starting after configuration but chrashes when I restart slapd?
Have a look at this blog entry. dated 2015. https://blog.sys4.de/totp-time-based-one-time-password-authentication-en.htm...
-Dieter
openldap-technical@openldap.org
-
Dieter Klünter -
Michael Ströder -
Quanah Gibson-Mount -
Stefan Kania