Am Sat, 7 Nov 2015 13:29:25 +0100 schrieb Dieter Klünter <[email protected]>:
> Am Sat, 7 Nov 2015 01:04:57 +0000 > schrieb Howard Chu <[email protected]>: > > > Dieter Klünter wrote: > > > Am Fri, 6 Nov 2015 08:55:34 +0000 > > > schrieb Emmanuel Dreyfus <[email protected]>: > > > > > >> Hello > > >> > > >> It seems OTP was broken at some time, I wonder if it is just me > > >> (and why), or if it is more genral. I have a user with: > > >> cmusaslsecretOTP: sha1 0499 se2124 xxxxxxxxxxxxxxxx > > >> 00000000 > > >> > > >> slapd.conf contains: > > >> access to dn.regex="^uid=.+,dc=example,dc=net$" > > >> attrs=cmusaslsecretOTP by anonymous auth stop > > >> by self write stop > > >> by * none stop > > >> > > >> I try: > > >> $ ldapwhomai -Y OTP -X dn:${user_dn} > > >> SASL/OTP authentication started > > >> (delay) > > >> ldap_sasl_interactive_bind_s: Server is unavailable (52) > > >> additional info: SASL(-8): transient failure (e.g., weak > > >> key): simultaneous OTP authentications not permitted > > >> > > >> This is: > > >> OpenLDAP 2.4.42 > > >> Cyrusl SASL 2.1.26 > > > > > > If you are referring to sasl-OTP, which requires opiekey, this is > > > still working, > > > > > > https://sys4.de/de/blog/2014/04/15/one-time-password-system-network-based-services/ > > > > > > On the other hand, there is a Time based OTP module in > > > contrib/slapd-modules/passwd/otpt which is broken, although i use > > > google authenticator and alternatively sophos authenticator. > > > > The passwd/totp module is a slapd password-hash mechanism and has > > nothing to do with SASL. It also works perfectly with google > > authenticator, what makes you say it's broken? > > > > I am not claiming the totp module to be a SASL Mechanism. > > 1. compiled pw-totp > 2. installed pw-totp.la and pw-totp.so.0.0.0 > 3. included pw-totp.la in slapd.conf > 4. added password-hash {TOTP1} 4.1 forgot to mention that i have added a overlay declaration overlay totp which happens to be the first overlay, followed by memberOf > 5. created a user > > dn: cn=test1 example,o=Test > sn: example > objectClass: inetOrgPerson > cn: test1 example > givenName: test1 > > 6. added credentials by ldappasswd > userPassword:: e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09 > 8. added credentials to google Authenticator and sophos authenticator > 9. run ./ldapwhoami -D "cn=test1 example,o=Test" -W -H > ldap://localhost:9007 > 10. entered the numberstring from a authenticator > 11. result: ldap_bind: Invalid credentials (49) > > You may test yourself, based on my credentials. -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
