On 05Feb25 12:11+0100, Christoph Pleger wrote:
> So:
>
> Is it possible to convert the secret from ${HOME}/.google_authenticator to
> OpenLDAP format?To my knowledge, the secret is a binary blob encoded in base64 or sometimes base32. So, yes, it would be possible. Keep in mind to set the default parameters of google-authenticator also in the slapo-otp configs (SHA1, 30s timewindow, etc) Which db overlay are you going to use? There are two in the openldap-distribution; one in the maintained branch (slapo-otp) and the other one in the contrib/ branch (pw-totp.so) I'm currently using the second module from the contrib branch because we've set up a dedicated TOTP verification slapd that only verifies TOTP after the user has already authenticated with the first factor. Unfortunately, the slapo-otp module doesn't quite fit our needs, as it requires a password as the first factor and then sends both the password and TOTP token together in one LDAP bind call. This doesn't work for us since our first factor is SSH public key authentication. I did want to mention that there's a pending feature request that would allow the maintained module (slapo-otp) to verify TOTP only, which would be a huge help [1]. I thought I'd bring it up here in case any OpenLDAP developers might be willing to take another look :) 1: https://bugs.openldap.org/show_bug.cgi?id=10169 Happy to hear any updates how you succeeded. Cheers, -- Bastian Tweddell Juelich Supercomputing Centre phone: +49 (2461) 61-6586 High Performance Systems --------------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------- Forschungszentrum Jülich GmbH 52425 Jülich Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Dr. Stephanie Bauer (stellv. Vorsitzende), Prof. Dr. Ir. Pieter Jansens --------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------
smime.p7s
Description: S/MIME cryptographic signature
