--On Friday, February 21, 2025 11:36 AM +0000 [email protected] wrote:
Hello!
I am using a 3-way multimaster syncrepl setup with the slapo-otp module.
My problem is that when authenticating with a user using HOTP, the
attribute oathHOTPCounter only updates the value on the target ldap
instance. This means the other two ldap instances do not get the updated
HOTP-counter value and therefore will allow authentication using the same
HOTP code.
Interestingly enough, if I manually edit the oathHOTPCounter value it
synchronizes with the other masters.
Any idea what the problem could be?
Yes, it lacks the necessary update code to function in an MMR environment.
It needs something similar to slapo-ppolicy's update functionality:
ppolicy_forward_updates
Specify that policy state changes that result from
Bind
operations (such as recording failures, lockout, etc.) on
a
consumer should be forwarded to a provider instead of
being
written directly into the consumer's local database.
This
setting is only useful on a replication consumer, and
also
requires the updateref setting and chain overlay to
be
appropriately configured.
I.e., it lacks but needs a totp_forward_updates parameter.
I suggest filing a feature request on this at https://bugs.openldap.org
--Quanah
