Bastian Tweddell wrote:
> Hello all, I just began to deploy a testbed with the 2.7 RC, which 
> introduces the compare op for the slapo-otp [1]. TOTP verification works 
> well on a standalone slapd, or a slapd provider DB.
> 
>   1: https://git.openldap.org/openldap/openldap/-/merge_requests/755
> 
> I’m stuck with a configuration issue that I haven’t been able to 
> resolve. In our environment the authentication-clients send TOTP 
> verification requests against a slapd which runs a syncrepl'icated DB; 
> not against the provider. The problem now is that the syncrepl DB is 
> read-only and the slapo-otp overlay wants to update the attributes of 
> the user-entry about the last successful TOTP verification 
> (`attrs=oathTOTPLastTimeStep, oathTOTPTimeStepDrift`). This fails and 
> the error message says 'otp_check_and_update: failed to invalidate 
> provided token rc=53: shadow context; no update referral'
> 
> I had a go with adding the `updateref` to the syncrepl DB which points 
> back to the provider. The modification of the entry would be sent to the 
> provider and from there distributed to all providers and consumers. 
> Adding `updateref` did not work unfortunately. The error message now 
> says `otp_check_and_update: failed to invalidate provided token rc=10:`

The updateref setting alone only tells a client that it must go elsewhere, it
doesn't do the operation for them. For this scenario you also need slapo-chain 
to
complete the operation.

-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Reply via email to