Stefan Kania wrote:
> Hi to all,
>
> I'm still testing TOPT with OpenLDAP 2.5. I got TOTP1 running. So a user
> with an OTP can use the six-digit number from googleauthenticator (or
> freeOTP+) to authenticate while using ldapsearch. Then I switch to
> TOTP1ANDPW I generate a secretkey for the TOTP-part of userPassword.
> Then I create a password with "slappasswd" and put both TOTP1|password
> together in userPassword after decoding base64 I saw what I expected:
> ------------
> dn: cn=u1,ou=users,dc=example,dc=net
> objectClass: posixAccount
> objectClass: inetOrgPerson
> objectClass: organizationalPerson
> objectClass: person
> objectClass: autoCAuser
> loginShell: /bin/bash
> homeDirectory: /home/u1
> uid: u1
> uidNumber: 10010
> gidNumber: 10000
> sn: u
> givenName: 1
> cn: u1
> userPassword::
> e1RPVFAxQU5EUFd9TUpBVk1UM0tNUlVXSVNDUEtKWEhJWVNaR1kzRE80Q0x8e1N
> TSEF9RWlCcVIwUGR4SUluMSswZTNqRSs1MXlwb1p6dTFKVUc=
> ------------------
>
> echo
> "e1RPVFAxQU5EUFd9TUpBVk1UM0tNUlVXSVNDUEtKWEhJWVNaR1kzRE80Q0x8e1NTSEF9RWlCcVIwUGR4SUluMSswZTNqRSs1MXlwb1p6dTFKVUc="
> | base64 -d
> {TOTP1ANDPW}MJAVMT3KMRUWISCPKJXHIYSZGY3DO4CL|{SSHA}EiBqR0PdxIIn1+0e3jE+51ypoZzu1JUG
>
> I then try to authenticate using ldapsearch with:
> 123456secret
> where 123456 is the six-digit key from googleauthenticator and "secret"
> is the password. But I always got an error 49 :-(
> I read this to set up the password:
> https://git.openldap.org/ondra/openldap/-/tree/dfe1f6494d69a885477e854944a6a32bdabdbb50/contrib/slapd-modules/passwd/totp
>
> Any hint? Anyone who got this running?
The correct order is <password><otp> so you should have used "secret123456"
with ldapsearch.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
