Re: [Lam-public] Setting up OpenLDAP TOTP error
Hi Jose, great that it works now! :) you can setup a write user the same way, e.g.: access to dn.subtree="dc=test,dc=lan" to attrs=objectClass,oathSecret,oathTokenSerialNumber,oathTOTPToken,oathTOTPParams by dn.base="uid=bindrw,dc=test,dc=lan" write by * break See e.g. https://medium.com/@moep/keeping-your-sanity-while-designing-openldap-acls-9132068ed55c The user can be created with LAM upfront. Best regards Roland Am 14.11.21 um 02:49 schrieb Gomez-Rubio, J L. via Lam-public: Hi Roland. Got it working with your suggestion and the Symas How-To Guide "Two-Factor Authentication". I was able generate a QR code from the self-service portal and was able to do a 'ldapwhoami' on my account by entering the password followed by the OTP code. I have one issue, according to the LDAP Account Manager Guide Chapter 7 - Self service (LAM Pro) it says: "OpenLDAP TOTP This allows your users to setup OpenLDAP TOTP tokens. Please note that this requires to use a bind user that is also used for all operations. This user needs to be able to add/remove the TOTP object classes and attributes." I'm currently using the "cn=Manager,dc=test,dc=lan" which is the rootdn for the DIT in the OpenLDAP TOTP Server settings. For some reason, I can't figure out how to create a bind user to "...add/remove the TOTP object classes and attributes." I already have a read-only bind user called "bindro" with the following access control in slapd.conf: access to * by dn.base="uid= bindro,dc=test,dc=lan" read by * break Any suggestions on a creating a bind user to "...add/remove the TOTP object classes and attributes." and the associated access control? I plan on naming this bind user "bindtotp". On 11/10/21, 3:10 PM, "Roland Gruber" wrote: Hi Jose, please check your self service profile. On tab "Module settings" there is "OpenLDAP TOTP" where you can specify the DN with the DN of the TOTP parameters. This DN must contain oathHMACAlgorithm, oathOTPLength, oathTOTPTimeStepPeriod. Best regards Roland Am 09.11.21 um 00:19 schrieb Gomez-Rubio, J L. via Lam-public: > Howdy. > > Stood up a test VM running CentOS 7 with Symas OpenLDAP 2.5 with LAM Pro 7.7. > > Added the otp overlay and module in slapd.conf and did a slaptest -f slapd.conf. No errors. > > I did a slapcat from the production OpenLDAP 2.4 server and did a slapadd on the test VM. > > I was able to view the DIT using both the Manager and Bind User credentials using ldapsearch on the test VM. > > Followed the steps in the LAM Manual to set up OTP by adding the TOTP module for users and the Self Service OpenLDAP TOTP steps. > > Went to the Self Service page and logged in with my account and got the following error under the TOTP line: > > “The OTP parameters could not be read.” > > I’m guessing it’s because the original production DIT never had TOTP object class of oathTOTPParams for user accounts? > > Jose > > > > ___ > Lam-public mailing list > Lam-public@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/lam-public > ___ Lam-public mailing list Lam-public@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lam-public ___ Lam-public mailing list Lam-public@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lam-public ___ Lam-public mailing list Lam-public@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lam-public
Re: [Lam-public] Setting up OpenLDAP TOTP error
Hi Roland. Got it working with your suggestion and the Symas How-To Guide "Two-Factor Authentication". I was able generate a QR code from the self-service portal and was able to do a 'ldapwhoami' on my account by entering the password followed by the OTP code. I have one issue, according to the LDAP Account Manager Guide Chapter 7 - Self service (LAM Pro) it says: "OpenLDAP TOTP This allows your users to setup OpenLDAP TOTP tokens. Please note that this requires to use a bind user that is also used for all operations. This user needs to be able to add/remove the TOTP object classes and attributes." I'm currently using the "cn=Manager,dc=test,dc=lan" which is the rootdn for the DIT in the OpenLDAP TOTP Server settings. For some reason, I can't figure out how to create a bind user to "...add/remove the TOTP object classes and attributes." I already have a read-only bind user called "bindro" with the following access control in slapd.conf: access to * by dn.base="uid= bindro,dc=test,dc=lan" read by * break Any suggestions on a creating a bind user to "...add/remove the TOTP object classes and attributes." and the associated access control? I plan on naming this bind user "bindtotp". On 11/10/21, 3:10 PM, "Roland Gruber" wrote: Hi Jose, please check your self service profile. On tab "Module settings" there is "OpenLDAP TOTP" where you can specify the DN with the DN of the TOTP parameters. This DN must contain oathHMACAlgorithm, oathOTPLength, oathTOTPTimeStepPeriod. Best regards Roland Am 09.11.21 um 00:19 schrieb Gomez-Rubio, J L. via Lam-public: > Howdy. > > Stood up a test VM running CentOS 7 with Symas OpenLDAP 2.5 with LAM Pro 7.7. > > Added the otp overlay and module in slapd.conf and did a slaptest -f slapd.conf. No errors. > > I did a slapcat from the production OpenLDAP 2.4 server and did a slapadd on the test VM. > > I was able to view the DIT using both the Manager and Bind User credentials using ldapsearch on the test VM. > > Followed the steps in the LAM Manual to set up OTP by adding the TOTP module for users and the Self Service OpenLDAP TOTP steps. > > Went to the Self Service page and logged in with my account and got the following error under the TOTP line: > > “The OTP parameters could not be read.” > > I’m guessing it’s because the original production DIT never had TOTP object class of oathTOTPParams for user accounts? > > Jose > > > > ___ > Lam-public mailing list > Lam-public@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/lam-public > ___ Lam-public mailing list Lam-public@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lam-public ___ Lam-public mailing list Lam-public@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lam-public
Re: [Lam-public] Setting up OpenLDAP TOTP error
Hi Jose, please check your self service profile. On tab "Module settings" there is "OpenLDAP TOTP" where you can specify the DN with the DN of the TOTP parameters. This DN must contain oathHMACAlgorithm, oathOTPLength, oathTOTPTimeStepPeriod. Best regards Roland Am 09.11.21 um 00:19 schrieb Gomez-Rubio, J L. via Lam-public: Howdy. Stood up a test VM running CentOS 7 with Symas OpenLDAP 2.5 with LAM Pro 7.7. Added the otp overlay and module in slapd.conf and did a slaptest -f slapd.conf. No errors. I did a slapcat from the production OpenLDAP 2.4 server and did a slapadd on the test VM. I was able to view the DIT using both the Manager and Bind User credentials using ldapsearch on the test VM. Followed the steps in the LAM Manual to set up OTP by adding the TOTP module for users and the Self Service OpenLDAP TOTP steps. Went to the Self Service page and logged in with my account and got the following error under the TOTP line: “The OTP parameters could not be read.” I’m guessing it’s because the original production DIT never had TOTP object class of oathTOTPParams for user accounts? Jose ___ Lam-public mailing list Lam-public@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lam-public ___ Lam-public mailing list Lam-public@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lam-public