Re: OTP or 2FA for Manager Account?

2018-05-17 Thread Dave Macias 
Sorry, looks like i got a bit confused

So, 2FA not just plain OTP.
So password+OTP is what im looking for.


On Thu, May 17, 2018 at 10:52 AM Dave Macias  wrote:

> Thank you for the reply Michael,
>
> This one in:
> 3. OATH-LDAP
>
> But in general just want to test a way to add OTP to openldap, which ever
> works
>
> -dave
>
> On Wed, May 16, 2018 at 9:25 AM Michael Ströder 
> wrote:
>
>> Dave Macias wrote:
>> > I too have been wondering about TOTP with openldap but always found it
>> > hard to find documentation on it. Any chance to have this documented?
>> > Dont see it in the site
>>
>> Which of the three solutions / sites do you mean?
>>
>> Ciao, Michael.
>>
>> > On Wed, May 16, 2018 at 7:23 AM Peter > > > wrote:
>> >
>> > Hi Michael,
>> >
>> > Thanks for this summary, to which I can only add the english page of
>> > the
>> > Russian activity:
>> >
>> > http://cargosoft.ru/en/rm/118/119
>> >
>> > Cheers,
>> >
>> > Peter
>> >
>> >
>> >
>> > Am 15.05.2018 um 19:06 schrieb Michael Ströder:
>> > > Douglas Duckworth wrote:
>> > >> Does OpenLDAP support use of one time passwords or 2FA for the
>> > Manager
>> > >> account?
>> > >
>> > > There are several solutions:
>> > >
>> > > 1. contrib/slapd-modules/passwd/totp/
>> > > A proof of concept overlay which AFAICS replaces checking a normal
>> > > password by checking a generated TOTP value. So not really 2FA.
>> > >
>> > > 2. OATH HOTP LDAP Plugin by cargosoft.ru 
>> > > Sorry, I only found a Russian site:
>> http://cargosoft.ru/ru/rm/113/115
>> > > I never checked this myself anyway and therefore can't comment.
>> > >
>> > > 3. OATH-LDAP
>> > > Most flexible solution but hard to setup, especially since not
>> fully
>> > > documented yet. It's currently directly integrated into Æ-DIR but
>> > > could be used stand-alone. Being the author I'm biased of course.
>> > >
>> > > Ciao, Michael.
>>
>

Re: OTP or 2FA for Manager Account?

2018-05-17 Thread Dave Macias 
Thank you for the reply Michael,

This one in:
3. OATH-LDAP

But in general just want to test a way to add OTP to openldap, which ever
works

-dave

On Wed, May 16, 2018 at 9:25 AM Michael Ströder 
wrote:

> Dave Macias wrote:
> > I too have been wondering about TOTP with openldap but always found it
> > hard to find documentation on it. Any chance to have this documented?
> > Dont see it in the site
>
> Which of the three solutions / sites do you mean?
>
> Ciao, Michael.
>
> > On Wed, May 16, 2018 at 7:23 AM Peter  > > wrote:
> >
> > Hi Michael,
> >
> > Thanks for this summary, to which I can only add the english page of
> > the
> > Russian activity:
> >
> > http://cargosoft.ru/en/rm/118/119
> >
> > Cheers,
> >
> > Peter
> >
> >
> >
> > Am 15.05.2018 um 19:06 schrieb Michael Ströder:
> > > Douglas Duckworth wrote:
> > >> Does OpenLDAP support use of one time passwords or 2FA for the
> > Manager
> > >> account?
> > >
> > > There are several solutions:
> > >
> > > 1. contrib/slapd-modules/passwd/totp/
> > > A proof of concept overlay which AFAICS replaces checking a normal
> > > password by checking a generated TOTP value. So not really 2FA.
> > >
> > > 2. OATH HOTP LDAP Plugin by cargosoft.ru 
> > > Sorry, I only found a Russian site:
> http://cargosoft.ru/ru/rm/113/115
> > > I never checked this myself anyway and therefore can't comment.
> > >
> > > 3. OATH-LDAP
> > > Most flexible solution but hard to setup, especially since not
> fully
> > > documented yet. It's currently directly integrated into Æ-DIR but
> > > could be used stand-alone. Being the author I'm biased of course.
> > >
> > > Ciao, Michael.
>

Re: ldapdelete: Invalid DN on an Accesslog generated DN

2018-05-17 Thread Michael Ströder 
Giuseppe Civitella wrote:
> while doing some tests to enable accesslog in my directory, I did enable the 
> overlay and then disabled it because of login problems.

I doubt that you had login problems caused by slapo-accesslog.

> Once restored the directory, I found a few entries like this:
> 
> dn: reqStart=20180509102412.00Z,BASEDN
> objectClass: auditModify
> structuralObjectClass: auditModify
> REQSTART: 20180509102412.00Z
> REQEND: 20180509102412.01Z
> REQTYPE: modify

Is this slapcat output? Did you obfuscate your e-mail with "BASEDN"?

Note that removing slapo-accesslog also removed the object class and
attribute type descriptions from your subschema. Typically slapcat
outputs names of attribute types missing in subschema all with capital
letters.

> deleting entry "reqStart=20180509102412.00Z,BASEDN"
> ldap_delete: Invalid DN syntax (34)
> additional info: invalid DN

OpenLDAP server checks schema even for DNs. Hence a DN containing
'reqStart' is an invalid DN if you don't have slapo-accesslog loaded.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature

Re: ldapdelete: Invalid DN on an Accesslog generated DN

2018-05-17 Thread Dieter Klünter 
Am Tue, 15 May 2018 10:02:18 +0200
schrieb Giuseppe Civitella :

> Hi all,
> 
> while doing some tests to enable accesslog in my directory, I did
> enable the overlay and then disabled it because of login problems.
> Once restored the directory, I found a few entries like this:
> 
> dn: reqStart=20180509102412.00Z,BASEDN
> objectClass: auditModify
> structuralObjectClass: auditModify
> REQSTART: 20180509102412.00Z
> REQEND: 20180509102412.01Z
> REQTYPE: modify
> REQSESSION: 1679
> REQAUTHZID: cn=admin,BASEDN
> REQDN: cn=gcivitella,ou=users,BASEDN
> REQRESULT: 0
> REQMOD: description:= description utente gcivitella (update check
> accesslog) REQMOD: entryCSN:= 20180509102412.246481Z#00#000#00
> REQMOD: modifiersName:= cn=admin,BASEDN
> REQMOD: modifyTimestamp:= 20180509102412Z
> REQENTRYUUID: 53620528-9276-1037-8c51-e5b01d96303b
> entryUUID: dc744658-e7be-1037-9c6f-71aa77ba1fb3
> creatorsName: cn=admin,BASEDN
> createTimestamp: 20180509102412Z
> entryCSN: 20180509102412.246481Z#00#000#00
> modifiersName: cn=admin,BASEDN
> modifyTimestamp: 20180509102412Z
> 
> Now I'm unable to delete them. I get an "invalid DN" error:
> 
> ldapdelete -D "cn=admin,BASEDN" -W -H ldap://127.0.0.1 -v 
> "reqStart=20180509102412.00Z,BASEDN"
> 
> ldap_initialize( ldap://127.0.0.1:389/??base )
> Enter LDAP Password: 
> deleting entry "reqStart=20180509102412.00Z,BASEDN"
> ldap_delete: Invalid DN syntax (34)
> additional info: invalid DN
> 
> Is there a way to force the deletion or temporary disable the schema
> check?

It seems that $BASEDN is not a valid DN, check 
https://ldap.com/ldap-dns-and-rdns
read man slapo-accesslog(5) on logpurge

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E