On 06Feb25 12:41+0100, Christoph Pleger wrote:
> > To my knowledge, the secret is a binary blob encoded in base64 or
> > sometimes base32. So, yes, it would be possible. Keep in mind to set the
> > default parameters of google-authenticator also in the slapo-otp configs
> > (SHA1, 30s timewindow, etc)
> >
> > Which db overlay are you going to use? There are two in the
> > openldap-distribution; one in the maintained branch (slapo-otp) and the
> > other one in the contrib/ branch (pw-totp.so)
>
> I am using slapo-otp. In the meanwhile, I managed to make it work with
> newly generated OTP secrets, but converting secrets from
> ${HOME}/.google_authenticator failed, I am wondering why, because I
> used base32 binary from goole-authenticator project to decode the value
> from .google_authenticator and then base64 to encode again, like this:
>
> -/base32 -D <base32-coded> | base64
Depending on your script, trailing newlines might have snuck in.
> No errors were shown while doing this, but after changing OpenLDAP TOTP
> secret to the result of above command, login was not possible.
My knowledge about slapo-otp is a bit outdated. I remember multiple
steps which need to be done and multiple entries need to be created.
The ldap entries you want to bind to with userpassword + 2fa-TOTP need
to implement the objectclass oathTOTPUser with attributes oathTOTPToken.
The value of the attribute oathTOTPToken points to a DN which implements
objectclass oathTOTPToken with attributes oathSecret, oathSecretTime,
etc. Also oathTOTPParams need to be implemented there.
...
Here, oathsecret would be set to the content of your secret, but as I
see in the man: `The shared secret is stored here as raw bytes.`
Meaning, not base64. If you add that with ldif oathSecret:: $BASE64_BLOB
should work.
Unfortunately, I do not recall if this is all, my testbed is not
available any more. I extracted the info to get a running testbed from
`slapo-otp(5)` and the sources in file
`2.6.3/servers/slapd/overlays/otp.c`. The latter gave me a decent
understanding about the OATH-LDAP schema.
When all is set up, the bind call then could look like:
ldapwhoami -x -H ... -D uid=user,... -w "${PASSWORD}${TOTPTOKEN}"
${PASSWORD} would be the user password which authenticates against
the `userpassword` attribute as usual, immediately followed (no
delimiter) by a TOTP verification token of six characters (see
oathOTPLength). e.g. "mysecretpassword123456"
I hope this helps a bit,
Best,
--
Bastian Tweddell Juelich Supercomputing Centre
phone: +49 (2461) 61-6586 High Performance Systems
---------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
Forschungszentrum Jülich GmbH
52425 Jülich
Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Dr. Stephanie Bauer (stellv. Vorsitzende), Prof. Dr. Ir. Pieter Jansens
---------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
smime.p7s
Description: S/MIME cryptographic signature
