Re: pw-totp

2021-06-07 Thread Michael Ströder 
On 6/7/21 8:37 PM, Stefan Kania wrote:
> that helped a lot :). My fault was I put the "olcPaswordHash" in "dn:
> cn=config", but it it must be in {-1}frontend as the result of the test

Hmmpf! Object class olcGlobal should not allow olcPasswordHash:

https://bugs.openldap.org/show_bug.cgi?id=9575

Ciao, Michael.

Re: pw-totp

2021-06-07 Thread Michael Ströder 
On 6/7/21 5:15 PM, Stefan Kania wrote:
> Am 07.06.21 um 16:35 schrieb Michael Ströder:
>> BTW: Note that choosing ARGON2 parameters is not trivial:
>>
>> https://openldap.org/hyperkitty/list/openldap-technical@openldap.org/message/4KYTNGJN7ETVO5RAD4W5DP5SMPBLPHA7/
>>
> The link gives me a nice 404-page

https://lists.openldap.org/hyperkitty/list/openldap-technical@openldap.org/message/4KYTNGJN7ETVO5RAD4W5DP5SMPBLPHA7/

Ciao, Michael.

Re: pw-totp

2021-06-07 Thread Michael Ströder 
On 6/7/21 3:40 PM, Stefan Kania wrote:
> 
> 
> Am 07.06.21 um 15:29 schrieb Michael Ströder:
>> To build with libargon2 (which supports all ARGON2 arguments):
>>
>> --enable-argon2 --with-argon2=libargon2
> 
> Now it's compiling but still the same error :-(
> 
> Jun 07 15:37:24 ldap25-p02 slapd[8154]: olcPasswordHash: value #0:
>  scheme not available ({ARGON2})

I'm not using writeable cn=config. cn=config is always read-only on my
system (no -F argument) only used for monitoring with slapdcheck.

FWIW it works for me with 2.5.5 and slapd.conf like this:

moduleload  argon2 m=4096 p=3 t=4
password-hash {ARGON2}

Fun fact: There is no olcPasswordHash attribute in cn=config.

BTW: Note that choosing ARGON2 parameters is not trivial:

https://openldap.org/hyperkitty/list/openldap-technical@openldap.org/message/4KYTNGJN7ETVO5RAD4W5DP5SMPBLPHA7/

Ciao, Michael.

Re: pw-totp

2021-06-07 Thread Stefan Kania 
Thank's Quanah,

that helped a lot :). My fault was I put the "olcPaswordHash" in "dn:
cn=config", but it it must be in {-1}frontend as the result of the test
shows:
--
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcPasswordHash: {ARGON2}
--

Now also {TOTP1ANDPW} is working. Thank's a lot. I learned a lot the
last days

Stefan


Am 07.06.21 um 20:13 schrieb Quanah Gibson-Mount:
> 
> 
> --On Monday, June 7, 2021 9:03 PM +0200 Stefan Kania
>  wrote:
> 
>> looks ok to me:
>> ---
> 
> My point was to examine the generated configuration in the testrun dir,
> which has a clearly working configuration for the argon2 module, and
> compare it to what you've done.
> 
> Regards,
> Quanah
> 
> -- 
> 
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
>

Re: pw-totp

2021-06-07 Thread Quanah Gibson-Mount 




--On Monday, June 7, 2021 9:03 PM +0200 Stefan Kania 
 wrote:



looks ok to me:
---


My point was to examine the generated configuration in the testrun dir, 
which has a clearly working configuration for the argon2 module, and 
compare it to what you've done.


Regards,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: pw-totp

2021-06-07 Thread Stefan Kania 



Am 07.06.21 um 17:18 schrieb Quanah Gibson-Mount:
> 
> 
> --On Monday, June 7, 2021 4:40 PM +0200 Stefan Kania
>  wrote:
> 
>>
>>
>> Am 07.06.21 um 15:29 schrieb Michael Ströder:
>>> To build with libargon2 (which supports all ARGON2 arguments):
>>>
>>> --enable-argon2 --with-argon2=libargon2
>>
>> Now it's compiling but still the same error :-(
> 
> I suggest examining test083 closely, as it uses cn=config to set up and
> configure ARGON2 with cn=config.

looks ok to me:
---
> Starting test083-argon2 for mdb...
running defines.sh
Starting slapd on TCP/IP port 9011...
Using ldapsearch to check that slapd is running...
Adding basic structure...
Testing ldapwhoami as cn=argon2,dc=example,dc=com...
dn:cn=argon2,dc=example,dc=com
> Test succeeded
> test083-argon2 completed OK for mdb after 1 seconds.

---

> 
> Regards,
> Quanah
> 
> 
> -- 
> 
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> 

-- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren und schützt Ihre
Privatsphäre. Ein kostenfreies Zertifikat erhalten Sie unter
https://www.dgn.de/dgncert/index.html

Re: pw-totp

2021-06-07 Thread Quanah Gibson-Mount 




--On Monday, June 7, 2021 4:40 PM +0200 Stefan Kania 
 wrote:





Am 07.06.21 um 15:29 schrieb Michael Ströder:

To build with libargon2 (which supports all ARGON2 arguments):

--enable-argon2 --with-argon2=libargon2


Now it's compiling but still the same error :-(


I suggest examining test083 closely, as it uses cn=config to set up and 
configure ARGON2 with cn=config.


Regards,
Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: pw-totp

2021-06-07 Thread Stefan Kania 



Am 07.06.21 um 16:35 schrieb Michael Ströder:
> On 6/7/21 3:40 PM, Stefan Kania wrote:
>>
>>
>> Am 07.06.21 um 15:29 schrieb Michael Ströder:
>>> To build with libargon2 (which supports all ARGON2 arguments):
>>>
>>> --enable-argon2 --with-argon2=libargon2
>>
>> Now it's compiling but still the same error :-(
>>
>> Jun 07 15:37:24 ldap25-p02 slapd[8154]: olcPasswordHash: value #0:
>>  scheme not available ({ARGON2})
> 
> I'm not using writeable cn=config. cn=config is always read-only on my
> system (no -F argument) only used for monitoring with slapdcheck.
> 
> FWIW it works for me with 2.5.5 and slapd.conf like this:
> 
> moduleloadargon2 m=4096 p=3 t=4
> password-hash {ARGON2}
I will try it with slapd.conf
> 
> Fun fact: There is no olcPasswordHash attribute in cn=config.
> 
I tried it with "olcPassworHash {CRYPT}", just to check if I have a typo
or something like that. And that is working. slapd starts I can create
passwords everything is fine. As soon as I try one of the other {ARGON2}
or {TOTP1}... slapd crashes, so the attribute is valid but I think I
missing something, but I don't know what.

> BTW: Note that choosing ARGON2 parameters is not trivial:
> 
> https://openldap.org/hyperkitty/list/openldap-technical@openldap.org/message/4KYTNGJN7ETVO5RAD4W5DP5SMPBLPHA7/
> 
The link gives me a nice 404-page
> Ciao, Michael.
> 

Stefan

Re: pw-totp

2021-06-07 Thread Stefan Kania 



Am 07.06.21 um 15:29 schrieb Michael Ströder:
> To build with libargon2 (which supports all ARGON2 arguments):
> 
> --enable-argon2 --with-argon2=libargon2

Now it's compiling but still the same error :-(


Jun 07 15:37:24 ldap25-p02 slapd[8154]: olcPasswordHash: value #0:
 scheme not available ({ARGON2})

Jun 07 15:37:24 ldap25-p02 slapd[8154]: olcPasswordHash: value #0:
 no valid hashes found

Jun 07 15:37:24 ldap25-p02 slapd[8154]: config error processing
cn=config:  no valid hashes found

Jun 07 15:37:24 ldap25-p02 slapd[8154]: DIGEST-MD5 common mech free
Jun 07 15:37:24 ldap25-p02 slapd[8154]: DIGEST-MD5 common mech free

Re: pw-totp

2021-06-07 Thread Michael Ströder 
On 6/7/21 2:31 PM, Stefan Kania wrote:
> ok, I found the source files in server/slapd/pwmods. I was always
> searching in contrib/slapd-modules/passwd.
> I normally only user the debian-packages, but I want to start with 2.5
> as early as possible so I started to build 2.5 from source. Here is my
> ./configure-line:
> -
> ./configure --with-cyrus-sasl --with-tls=openssl --enable-overlays=mod
> --enable-backends=mod --disable-perl --disable-ndb --enable-crypt
> --enable-modules --enable-dynamic --enable-syslog --enable-debug
> --enable-local --enable-spasswd --disable-sql --prefix=/opt/openldap-current

To build with libargon2 (which supports all ARGON2 arguments):

--enable-argon2 --with-argon2=libargon2

Of course this requires build files of libargon2 to be installed.

Alternatively you could use libsodium which does not support ARGON2
parameter p>1 though.

See also the .spec file for my openSUSE/SLE packages:

https://build.opensuse.org/package/view_file/home:stroeder:openldap25/openldap-ms/openldap-ms.spec?expand=1

Ciao, Michael.

Re: pw-totp

2021-06-07 Thread Stefan Kania 
Hi Michael,

ok, I found the source files in server/slapd/pwmods. I was always
searching in contrib/slapd-modules/passwd.
I normally only user the debian-packages, but I want to start with 2.5
as early as possible so I started to build 2.5 from source. Here is my
./configure-line:
-
./configure --with-cyrus-sasl --with-tls=openssl --enable-overlays=mod
--enable-backends=mod --disable-perl --disable-ndb --enable-crypt
--enable-modules --enable-dynamic --enable-syslog --enable-debug
--enable-local --enable-spasswd --disable-sql --prefix=/opt/openldap-current
-

After ./configure I do:
--
make depend
make
make install

cd /opt/openldap-current/contrib/slapd-modules/passwd/totp/
make
make install

cd /opt/openldap-current/contrib/slapd-modules/passwd/sha2
make
make install

cd /opt/openldap-current/contrib/slapd-modules/passwd/pbkdf2
make
make install
--
All the steps are part of an Ansible role. After building OpenLDAP a
find /opt/openldap-current/ -name "*argon*" only lists:
-
openldap-current/share/man/man5/slappw-argon2.5
openldap-current/servers/slapd/pwmods/argon2.c
openldap-current/servers/slapd/pwmods/README.argon2
openldap-current/doc/man/man5/slappw-argon2.5.tmp
openldap-current/doc/man/man5/slappw-argon2.5
openldap-current/tests/scripts/test083-argon2
-

Because of your hint with the path slapd/pwmods I read "./configure
--help" I added "--enable-argon2". Now I find the missing files :-). Did
I miss anything else in my configure-line?

Thank's

Stefan



Am 07.06.21 um 11:29 schrieb Michael Ströder:
> On 6/7/21 10:23 AM, Stefan Kania wrote:
>> ARGON2 is not part of the actual version 2.5.5 I only find the sources
>> on git.openldap.org.
> 
> Not true.
> 
> It's in the main code now:
> 
> $ tar tzf openldap-2.5.5.tgz | grep argon
> openldap-2.5.5/tests/scripts/test083-argon2
> openldap-2.5.5/doc/man/man5/slappw-argon2.5
> openldap-2.5.5/servers/slapd/pwmods/argon2.c
> openldap-2.5.5/servers/slapd/pwmods/README.argon2
> 
> My openSUSE package:
> 
> $ rpm -ql openldap-ms | grep argon
> /opt/openldap-ms/lib64/openldap/argon2-2.5.so.0
> /opt/openldap-ms/lib64/openldap/argon2-2.5.so.0.1.0
> /opt/openldap-ms/lib64/openldap/argon2.la
> /opt/openldap-ms/lib64/openldap/argon2.so
> /opt/openldap-ms/share/man/man5/slappw-argon2.5
> 
> How do you build your packages?
> 
> Ciao, Michael.
>

Re: pw-totp

2021-06-07 Thread Michael Ströder 
On 6/7/21 10:23 AM, Stefan Kania wrote:
> ARGON2 is not part of the actual version 2.5.5 I only find the sources
> on git.openldap.org.

Not true.

It's in the main code now:

$ tar tzf openldap-2.5.5.tgz | grep argon
openldap-2.5.5/tests/scripts/test083-argon2
openldap-2.5.5/doc/man/man5/slappw-argon2.5
openldap-2.5.5/servers/slapd/pwmods/argon2.c
openldap-2.5.5/servers/slapd/pwmods/README.argon2

My openSUSE package:

$ rpm -ql openldap-ms | grep argon
/opt/openldap-ms/lib64/openldap/argon2-2.5.so.0
/opt/openldap-ms/lib64/openldap/argon2-2.5.so.0.1.0
/opt/openldap-ms/lib64/openldap/argon2.la
/opt/openldap-ms/lib64/openldap/argon2.so
/opt/openldap-ms/share/man/man5/slappw-argon2.5

How do you build your packages?

Ciao, Michael.

Re: pw-totp

2021-06-07 Thread Stefan Kania 
Hi Quanah

Am 05.06.21 um 22:11 schrieb Quanah Gibson-Mount:
> 
> Personally I'd combine that with ARGON2 password hashes for secure
> password hash storage + 2 Factor auth.
ARGON2 is not part of the actual version 2.5.5 I only find the sources
on git.openldap.org. Will it ever become part of the OpenLDAP 2.5 version?
In contrib/slapd-modules/passwd I only see pdkdf2, totp and sha2.

Stefan

Re: pw-totp

2021-06-06 Thread Stefan Kania 
Hi Quanah,

Am 05.06.21 um 22:11 schrieb Quanah Gibson-Mount:
> 
> 
> --On Saturday, June 5, 2021 4:27 PM +0200 Stefan Kania
>  wrote:
> 
>> Hello,
>>
>> I try to set up TOTP1 and TOTP1ANDPW as passworthash. I use Debian 10
>> with Kernel 5.9 from the backports. As OpenLDAP I use 2.5.5. I set up
>> everything via Ansible. My configure-options are:
>>
>>
>> root@ldap25-p01:/opt/openldap-2.5.5/servers/slapd
>> Jun 05 15:24:52 ldap25-p01 slapd[16210]: olcPasswordHash: value #0:
>>  scheme not available ({TOTP1})
>> Jun 05 15:24:52 ldap25-p01 slapd[16210]: olcPasswordHash: value #0:
>>  no valid hashes found
>> Jun 05 15:24:52 ldap25-p01 slapd[16210]: config error processing
>> cn=config:  no valid hashes found
> 
> Hm, I've only ever used the OTP module that ships as a core part of
> OpenLDAP 2.5:
> 
> 
> 
> 
> Personally I'd combine that with ARGON2 password hashes for secure
> password hash storage + 2 Factor auth.
> 
I have not tried this one yet, I will give it a try next week.

Stefan
> Regards,
> Quanah
> 
> 
> 
> -- 
> 
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> 

-- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren und schützt Ihre
Privatsphäre. Ein kostenfreies Zertifikat erhalten Sie unter
https://www.dgn.de/dgncert/index.html






smime.p7s
Description: S/MIME Cryptographic Signature

Re: pw-totp

2021-06-06 Thread Stefan Kania 
Hello Dieter,
I think I read everything I could find, also your posting :-). The only
thing I did not not set is "security ssf=1" but I think that has nothing
to do with my error message.
What I don't understand is why can I set the option olcPasswordHash
without an error, but as soon as I try to do anything or restart slapd,
the slapd chrashes.


Am 06.06.21 um 11:01 schrieb Dieter Klünter:
> Am Sat, 5 Jun 2021 15:27:40 +0200
> schrieb Stefan Kania :
> 
>> Hello,
>>
>> I try to set up TOTP1 and TOTP1ANDPW as passworthash. I use Debian 10
>> with Kernel 5.9 from the backports. As OpenLDAP I use 2.5.5. I set up
>> everything via Ansible. My configure-options are:
>> -
>> ./configure --with-cyrus-sasl --with-tls=openssl --enable-overlays=mod
>> --enable-backends=mod --disable-perl --disable-ndb --enable-crypt
>> --enable-modules --enable-dynamic --enable-syslog --enable-debug
>> --enable-local --enable-spasswd --disable-sql
>> --prefix=/opt/openldap-current
>> -
>>
>> In addition I build:
>> 
>> /opt/openldap-current/contrib/slapd-modules/passwd/sha2
>> /opt/openldap-current/contrib/slapd-modules/passwd/pbkdf2
>> /opt/openldap-current/contrib/slapd-modules/passwd/totp/
>> 
>>
>> "make test" is runnning without any error.
>>
>> The setup is running without any error, here my cn=config:
>> 
>> dn: cn=config
>> objectClass: olcGlobal
>> cn: config
>> olcArgsFile: /opt/openldap-current/var/run/slapd.args
>> olcLogLevel: sync
>> olcLogLevel: stats
>> olcLogLevel: stats
>> olcPidFile: /opt/openldap-current/var/run/slapd.pid
>> olcToolThreads: 1
>> olcTLSCertificateFile:
>> /opt/openldap-current/etc/my_certificates/ldap25-p01-ce
>>  rt.pem
>> olcTLSCertificateKeyFile:
>> /opt/openldap-current/etc/my_certificates/ldap25-p01
>>  -key.pem
>> olcTLSCACertificateFile:
>> /opt/openldap-current/etc/my_certificates/cacert.pem
>> olcPasswordHash: {TOTP1}
>>
>> dn: cn=module{0},cn=config
>> objectClass: olcModuleList
>> cn: module{0}
>> olcModulePath:
>> /opt/openldap-current/libexec/openldap:/usr/local/libexec/openl
>>  dap
>> olcModuleLoad: {0}back_mdb
>> olcModuleLoad: {1}back_monitor
>> olcModuleLoad: {2}pw-totp.la
>> olcModuleLoad: {3}autoca.la
>>
>> ... schema
>>
>> dn: olcBackend={0}mdb,cn=config
>> objectClass: olcBackendConfig
>> olcBackend: {0}mdb
>>
>> dn: olcDatabase={-1}frontend,cn=config
>> objectClass: olcDatabaseConfig
>> objectClass: olcFrontendConfig
>> olcDatabase: {-1}frontend
>> olcAccess: {0}to *  by
>> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=externa
>>  l,cn=auth manage  by
>> dn.exact=gidNumber=+uidNumber=,cn=peercred,cn=ex
>>  ternal,cn=auth manage  by * break
>> olcAccess: {1}to dn=""  by * read
>> olcAccess: {2}to dn.base="cn=subschema"  by * read
>> olcSizeLimit: 500
>>
>>
>> dn: olcDatabase={0}config,cn=config
>> objectClass: olcDatabaseConfig
>> olcDatabase: {0}config
>> olcAccess: {0}to *  by
>> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=externa
>>  l,cn=auth manage  by
>> dn.exact=gidNumber=+uidNumber=,cn=peercred,cn=ex
>>  ternal,cn=auth manage  by
>> dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net
>>  write  by * break
>> olcRootDN: cn=admin,cn=config
>> olcRootPW:
>>
>>
>> dn: olcDatabase={1}monitor,cn=config
>> objectClass: olcDatabaseConfig
>> olcDatabase: {1}monitor
>> olcAccess: {0}to dn.subtree="cn=monitor" by
>> dn.exact=cn=admin,cn=config read
>>   by dn.exact=cn=admin,dc=example,dc=net read
>>
>> dn: olcDatabase={2}mdb,cn=config
>> objectClass: olcDatabaseConfig
>> objectClass: olcmdbConfig
>> olcDatabase: {2}mdb
>> olcDbDirectory: /opt/openldap-current/var/lib/ldap
>> olcSuffix: dc=example,dc=net
>> olcAccess: {0} to *  by
>> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
>>  al,cn=auth manage  by
>> dn.exact=gidNumber=+uidNumber=,cn=peercred,cn=e
>>  xternal,cn=auth manage  by
>> dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net
>>   write  by dn.exact=uid=repl-user,ou=users,dc=example,dc=net read
>> by * break
>> olcAccess: {1}to dn.exact=""  by * read
>> olcAccess: {2}to dn.base="cn=subschema"  by * read
>> olcAccess: {3} to attrs=userPassword  by anonymous auth by self write
>> by
>> * non
>>  e
>> olcLimits: {0} dn.exact="uid=repl-user,ou=users,dc=example,dc=net"
>> time=unl
>>  imited size=unlimited
>> olcLimits: {1} dn.exact="uid=ldap-admin,ou=users,dc=example,dc=net"
>> time=unlim
>>  ited size=unlimited
>> olcRootDN: cn=admin,dc=example,dc=net
>> olcRootPW: {SSHA}D6GKFhWChzpTnTmsxLVqJqTnFm+8fr3K
>> olcSizeLimit: unlimited
>> olcTimeLimit: unlimited
>> olcDbCheckpoint: 512 30
>> olcDbIndex: default eq
>> olcDbIndex: objectClass
>> olcDbIndex: entryUUID
>> olcDbIndex: entryCSN
>> olcDbIndex: cn pres,eq,sub
>> olcDbIndex: uid pres,eq,sub
>> olcDbIndex: mail pres,eq,sub
>> olcDbIndex: sn pres,eq,sub
>> olcDbIndex: description pres,eq,sub
>> olcDbIndex: title pres,eq,sub
>> olcDbIndex: givenName pres,eq,sub
>> olcDbMaxSize: 85899345920
>>
>> dn:

Re: pw-totp

2021-06-06 Thread Dieter Klünter 
Am Sat, 5 Jun 2021 15:27:40 +0200
schrieb Stefan Kania :

> Hello,
> 
> I try to set up TOTP1 and TOTP1ANDPW as passworthash. I use Debian 10
> with Kernel 5.9 from the backports. As OpenLDAP I use 2.5.5. I set up
> everything via Ansible. My configure-options are:
> -
> ./configure --with-cyrus-sasl --with-tls=openssl --enable-overlays=mod
> --enable-backends=mod --disable-perl --disable-ndb --enable-crypt
> --enable-modules --enable-dynamic --enable-syslog --enable-debug
> --enable-local --enable-spasswd --disable-sql
> --prefix=/opt/openldap-current
> -
> 
> In addition I build:
> 
> /opt/openldap-current/contrib/slapd-modules/passwd/sha2
> /opt/openldap-current/contrib/slapd-modules/passwd/pbkdf2
> /opt/openldap-current/contrib/slapd-modules/passwd/totp/
> 
> 
> "make test" is runnning without any error.
> 
> The setup is running without any error, here my cn=config:
> 
> dn: cn=config
> objectClass: olcGlobal
> cn: config
> olcArgsFile: /opt/openldap-current/var/run/slapd.args
> olcLogLevel: sync
> olcLogLevel: stats
> olcLogLevel: stats
> olcPidFile: /opt/openldap-current/var/run/slapd.pid
> olcToolThreads: 1
> olcTLSCertificateFile:
> /opt/openldap-current/etc/my_certificates/ldap25-p01-ce
>  rt.pem
> olcTLSCertificateKeyFile:
> /opt/openldap-current/etc/my_certificates/ldap25-p01
>  -key.pem
> olcTLSCACertificateFile:
> /opt/openldap-current/etc/my_certificates/cacert.pem
> olcPasswordHash: {TOTP1}
> 
> dn: cn=module{0},cn=config
> objectClass: olcModuleList
> cn: module{0}
> olcModulePath:
> /opt/openldap-current/libexec/openldap:/usr/local/libexec/openl
>  dap
> olcModuleLoad: {0}back_mdb
> olcModuleLoad: {1}back_monitor
> olcModuleLoad: {2}pw-totp.la
> olcModuleLoad: {3}autoca.la
> 
> ... schema
> 
> dn: olcBackend={0}mdb,cn=config
> objectClass: olcBackendConfig
> olcBackend: {0}mdb
> 
> dn: olcDatabase={-1}frontend,cn=config
> objectClass: olcDatabaseConfig
> objectClass: olcFrontendConfig
> olcDatabase: {-1}frontend
> olcAccess: {0}to *  by
> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=externa
>  l,cn=auth manage  by
> dn.exact=gidNumber=+uidNumber=,cn=peercred,cn=ex
>  ternal,cn=auth manage  by * break
> olcAccess: {1}to dn=""  by * read
> olcAccess: {2}to dn.base="cn=subschema"  by * read
> olcSizeLimit: 500
> 
> 
> dn: olcDatabase={0}config,cn=config
> objectClass: olcDatabaseConfig
> olcDatabase: {0}config
> olcAccess: {0}to *  by
> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=externa
>  l,cn=auth manage  by
> dn.exact=gidNumber=+uidNumber=,cn=peercred,cn=ex
>  ternal,cn=auth manage  by
> dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net
>  write  by * break
> olcRootDN: cn=admin,cn=config
> olcRootPW:
> 
> 
> dn: olcDatabase={1}monitor,cn=config
> objectClass: olcDatabaseConfig
> olcDatabase: {1}monitor
> olcAccess: {0}to dn.subtree="cn=monitor" by
> dn.exact=cn=admin,cn=config read
>   by dn.exact=cn=admin,dc=example,dc=net read
> 
> dn: olcDatabase={2}mdb,cn=config
> objectClass: olcDatabaseConfig
> objectClass: olcmdbConfig
> olcDatabase: {2}mdb
> olcDbDirectory: /opt/openldap-current/var/lib/ldap
> olcSuffix: dc=example,dc=net
> olcAccess: {0} to *  by
> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
>  al,cn=auth manage  by
> dn.exact=gidNumber=+uidNumber=,cn=peercred,cn=e
>  xternal,cn=auth manage  by
> dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net
>   write  by dn.exact=uid=repl-user,ou=users,dc=example,dc=net read
> by * break
> olcAccess: {1}to dn.exact=""  by * read
> olcAccess: {2}to dn.base="cn=subschema"  by * read
> olcAccess: {3} to attrs=userPassword  by anonymous auth by self write
> by
> * non
>  e
> olcLimits: {0} dn.exact="uid=repl-user,ou=users,dc=example,dc=net"
> time=unl
>  imited size=unlimited
> olcLimits: {1} dn.exact="uid=ldap-admin,ou=users,dc=example,dc=net"
> time=unlim
>  ited size=unlimited
> olcRootDN: cn=admin,dc=example,dc=net
> olcRootPW: {SSHA}D6GKFhWChzpTnTmsxLVqJqTnFm+8fr3K
> olcSizeLimit: unlimited
> olcTimeLimit: unlimited
> olcDbCheckpoint: 512 30
> olcDbIndex: default eq
> olcDbIndex: objectClass
> olcDbIndex: entryUUID
> olcDbIndex: entryCSN
> olcDbIndex: cn pres,eq,sub
> olcDbIndex: uid pres,eq,sub
> olcDbIndex: mail pres,eq,sub
> olcDbIndex: sn pres,eq,sub
> olcDbIndex: description pres,eq,sub
> olcDbIndex: title pres,eq,sub
> olcDbIndex: givenName pres,eq,sub
> olcDbMaxSize: 85899345920
> 
> dn: olcOverlay={0}totp,olcDatabase={2}mdb,cn=config
> objectClass: olcOverlayConfig
> olcOverlay: {0}totp
> 
> dn: olcOverlay={1}autoca,olcDatabase={2}mdb,cn=config
> objectClass: olcOverlayConfig
> objectClass: olcAutoCAConfig
> olcOverlay: {1}autoca
> olcAutoCAuserKeybits: 4096
> olcAutoCAserverKeybits: 4096
> olcAutoCAKeybits: 4096
> 
> 
> After a few minutes or if I restart slapd I get the following
> error-message: -
> Jun 05 15:24:52 ldap25-p01 slapd[16210]: @(#) $OpenLDAP: slapd 2.5.5
> (Jun  5 2021

Re: pw-totp

2021-06-05 Thread Quanah Gibson-Mount 




--On Saturday, June 5, 2021 4:27 PM +0200 Stefan Kania 
 wrote:



Hello,

I try to set up TOTP1 and TOTP1ANDPW as passworthash. I use Debian 10
with Kernel 5.9 from the backports. As OpenLDAP I use 2.5.5. I set up
everything via Ansible. My configure-options are:


root@ldap25-p01:/opt/openldap-2.5.5/servers/slapd
Jun 05 15:24:52 ldap25-p01 slapd[16210]: olcPasswordHash: value #0:
 scheme not available ({TOTP1})
Jun 05 15:24:52 ldap25-p01 slapd[16210]: olcPasswordHash: value #0:
 no valid hashes found
Jun 05 15:24:52 ldap25-p01 slapd[16210]: config error processing
cn=config:  no valid hashes found


Hm, I've only ever used the OTP module that ships as a core part of 
OpenLDAP 2.5:




Personally I'd combine that with ARGON2 password hashes for secure password 
hash storage + 2 Factor auth.


Regards,
Quanah



--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

pw-totp

2021-06-05 Thread Stefan Kania 
Hello,

I try to set up TOTP1 and TOTP1ANDPW as passworthash. I use Debian 10
with Kernel 5.9 from the backports. As OpenLDAP I use 2.5.5. I set up
everything via Ansible. My configure-options are:
-
./configure --with-cyrus-sasl --with-tls=openssl --enable-overlays=mod
--enable-backends=mod --disable-perl --disable-ndb --enable-crypt
--enable-modules --enable-dynamic --enable-syslog --enable-debug
--enable-local --enable-spasswd --disable-sql
--prefix=/opt/openldap-current
-

In addition I build:

/opt/openldap-current/contrib/slapd-modules/passwd/sha2
/opt/openldap-current/contrib/slapd-modules/passwd/pbkdf2
/opt/openldap-current/contrib/slapd-modules/passwd/totp/


"make test" is runnning without any error.

The setup is running without any error, here my cn=config:

dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /opt/openldap-current/var/run/slapd.args
olcLogLevel: sync
olcLogLevel: stats
olcLogLevel: stats
olcPidFile: /opt/openldap-current/var/run/slapd.pid
olcToolThreads: 1
olcTLSCertificateFile:
/opt/openldap-current/etc/my_certificates/ldap25-p01-ce
 rt.pem
olcTLSCertificateKeyFile:
/opt/openldap-current/etc/my_certificates/ldap25-p01
 -key.pem
olcTLSCACertificateFile:
/opt/openldap-current/etc/my_certificates/cacert.pem
olcPasswordHash: {TOTP1}

dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath:
/opt/openldap-current/libexec/openldap:/usr/local/libexec/openl
 dap
olcModuleLoad: {0}back_mdb
olcModuleLoad: {1}back_monitor
olcModuleLoad: {2}pw-totp.la
olcModuleLoad: {3}autoca.la

... schema

dn: olcBackend={0}mdb,cn=config
objectClass: olcBackendConfig
olcBackend: {0}mdb

dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to *  by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=externa
 l,cn=auth manage  by
dn.exact=gidNumber=+uidNumber=,cn=peercred,cn=ex
 ternal,cn=auth manage  by * break
olcAccess: {1}to dn=""  by * read
olcAccess: {2}to dn.base="cn=subschema"  by * read
olcSizeLimit: 500


dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to *  by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=externa
 l,cn=auth manage  by
dn.exact=gidNumber=+uidNumber=,cn=peercred,cn=ex
 ternal,cn=auth manage  by
dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net
 write  by * break
olcRootDN: cn=admin,cn=config
olcRootPW:


dn: olcDatabase={1}monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to dn.subtree="cn=monitor" by dn.exact=cn=admin,cn=config
read
  by dn.exact=cn=admin,dc=example,dc=net read

dn: olcDatabase={2}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcmdbConfig
olcDatabase: {2}mdb
olcDbDirectory: /opt/openldap-current/var/lib/ldap
olcSuffix: dc=example,dc=net
olcAccess: {0} to *  by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
 al,cn=auth manage  by
dn.exact=gidNumber=+uidNumber=,cn=peercred,cn=e
 xternal,cn=auth manage  by
dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net
  write  by dn.exact=uid=repl-user,ou=users,dc=example,dc=net read  by *
break
olcAccess: {1}to dn.exact=""  by * read
olcAccess: {2}to dn.base="cn=subschema"  by * read
olcAccess: {3} to attrs=userPassword  by anonymous auth by self write by
* non
 e
olcLimits: {0} dn.exact="uid=repl-user,ou=users,dc=example,dc=net"
time=unl
 imited size=unlimited
olcLimits: {1} dn.exact="uid=ldap-admin,ou=users,dc=example,dc=net"
time=unlim
 ited size=unlimited
olcRootDN: cn=admin,dc=example,dc=net
olcRootPW: {SSHA}D6GKFhWChzpTnTmsxLVqJqTnFm+8fr3K
olcSizeLimit: unlimited
olcTimeLimit: unlimited
olcDbCheckpoint: 512 30
olcDbIndex: default eq
olcDbIndex: objectClass
olcDbIndex: entryUUID
olcDbIndex: entryCSN
olcDbIndex: cn pres,eq,sub
olcDbIndex: uid pres,eq,sub
olcDbIndex: mail pres,eq,sub
olcDbIndex: sn pres,eq,sub
olcDbIndex: description pres,eq,sub
olcDbIndex: title pres,eq,sub
olcDbIndex: givenName pres,eq,sub
olcDbMaxSize: 85899345920

dn: olcOverlay={0}totp,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
olcOverlay: {0}totp

dn: olcOverlay={1}autoca,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAutoCAConfig
olcOverlay: {1}autoca
olcAutoCAuserKeybits: 4096
olcAutoCAserverKeybits: 4096
olcAutoCAKeybits: 4096


After a few minutes or if I restart slapd I get the following error-message:
-
Jun 05 15:24:52 ldap25-p01 slapd[16210]: @(#) $OpenLDAP: slapd 2.5.5
(Jun  5 2021 14:07:21) $

root@ldap25-p01:/opt/openldap-2.5.5/servers/slapd
Jun 05 15:24:52 ldap25-p01 slapd[16210]: olcPasswordHash: value #0:
 scheme not available ({TOTP1})
Jun 05 15:24:52 ldap25-p01 slapd[16210]: olcPasswordHash: value #0:
 no valid hashes found
Jun 05 15:24:52 ldap25-p01 slapd[16210]: config error processing
cn=config:  no valid hashes found