Bastian Tweddell wrote: > Hello all, I just began to deploy a testbed with the 2.7 RC, which > introduces the compare op for the slapo-otp [1]. TOTP verification works > well on a standalone slapd, or a slapd provider DB. > > 1: https://git.openldap.org/openldap/openldap/-/merge_requests/755 > > I’m stuck with a configuration issue that I haven’t been able to > resolve. In our environment the authentication-clients send TOTP > verification requests against a slapd which runs a syncrepl'icated DB; > not against the provider. The problem now is that the syncrepl DB is > read-only and the slapo-otp overlay wants to update the attributes of > the user-entry about the last successful TOTP verification > (`attrs=oathTOTPLastTimeStep, oathTOTPTimeStepDrift`). This fails and > the error message says 'otp_check_and_update: failed to invalidate > provided token rc=53: shadow context; no update referral' > > I had a go with adding the `updateref` to the syncrepl DB which points > back to the provider. The modification of the entry would be sent to the > provider and from there distributed to all providers and consumers. > Adding `updateref` did not work unfortunately. The error message now > says `otp_check_and_update: failed to invalidate provided token rc=10:`
The updateref setting alone only tells a client that it must go elsewhere, it doesn't do the operation for them. For this scenario you also need slapo-chain to complete the operation. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
