Hi Jose,
great that it works now! :)
you can setup a write user the same way, e.g.:
access to dn.subtree="dc=test,dc=lan"
to
attrs=objectClass,oathSecret,oathTokenSerialNumber,oathTOTPToken,oathTOTPParams
by dn.base="uid=bindrw,dc=test,dc=lan" write
by * break
See e.g.
https://medium.com/@moep/keeping-your-sanity-while-designing-openldap-acls-9132068ed55c
The user can be created with LAM upfront.
Best regards
Roland
Am 14.11.21 um 02:49 schrieb Gomez-Rubio, J L. via Lam-public:
Hi Roland.
Got it working with your suggestion and the Symas How-To Guide "Two-Factor
Authentication".
I was able generate a QR code from the self-service portal and was able to do a
'ldapwhoami' on my account by entering the password followed by the OTP code.
I have one issue, according to the LDAP Account Manager Guide Chapter 7 - Self
service (LAM Pro) it says:
"OpenLDAP TOTP
This allows your users to setup OpenLDAP TOTP tokens.
Please note that this requires to use a bind user that is also used for all
operations. This user needs to be able to add/remove the TOTP object classes and
attributes."
I'm currently using the "cn=Manager,dc=test,dc=lan" which is the rootdn for the
DIT in the OpenLDAP TOTP Server settings.
For some reason, I can't figure out how to create a bind user to "...add/remove the
TOTP object classes and attributes."
I already have a read-only bind user called "bindro" with the following access
control in slapd.conf:
access to *
by dn.base="uid= bindro,dc=test,dc=lan" read
by * break
Any suggestions on a creating a bind user to "...add/remove the TOTP object classes
and attributes." and the associated access control?
I plan on naming this bind user "bindtotp".
On 11/10/21, 3:10 PM, "Roland Gruber" <p...@rolandgruber.de> wrote:
Hi Jose,
please check your self service profile. On tab "Module settings" there
is "OpenLDAP TOTP" where you can specify the DN with the DN of the TOTP
parameters.
This DN must contain oathHMACAlgorithm, oathOTPLength,
oathTOTPTimeStepPeriod.
Best regards
Roland
Am 09.11.21 um 00:19 schrieb Gomez-Rubio, J L. via Lam-public:
> Howdy.
>
> Stood up a test VM running CentOS 7 with Symas OpenLDAP 2.5 with LAM Pro
7.7.
>
> Added the otp overlay and module in slapd.conf and did a slaptest -f
slapd.conf. No errors.
>
> I did a slapcat from the production OpenLDAP 2.4 server and did a
slapadd on the test VM.
>
> I was able to view the DIT using both the Manager and Bind User
credentials using ldapsearch on the test VM.
>
> Followed the steps in the LAM Manual to set up OTP by adding the TOTP
module for users and the Self Service OpenLDAP TOTP steps.
>
> Went to the Self Service page and logged in with my account and got the
following error under the TOTP line:
>
> “The OTP parameters could not be read.”
>
> I’m guessing it’s because the original production DIT never had TOTP
object class of oathTOTPParams for user accounts?
>
> Jose
>
>
>
> _______________________________________________
> Lam-public mailing list
> Lam-public@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lam-public
>
_______________________________________________
Lam-public mailing list
Lam-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lam-public
_______________________________________________
Lam-public mailing list
Lam-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lam-public
_______________________________________________
Lam-public mailing list
Lam-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lam-public
