Am Sat, 5 Jun 2021 15:27:40 +0200 schrieb Stefan Kania <ste...@kania-online.de>:
> Hello,
>
> I try to set up TOTP1 and TOTP1ANDPW as passworthash. I use Debian 10
> with Kernel 5.9 from the backports. As OpenLDAP I use 2.5.5. I set up
> everything via Ansible. My configure-options are:
> -------------
> ./configure --with-cyrus-sasl --with-tls=openssl --enable-overlays=mod
> --enable-backends=mod --disable-perl --disable-ndb --enable-crypt
> --enable-modules --enable-dynamic --enable-syslog --enable-debug
> --enable-local --enable-spasswd --disable-sq l
> --prefix=/opt/openldap-current
> -------------
>
> In addition I build:
> ------------
> /opt/openldap-current/contrib/slapd-modules/passwd/sha2
> /opt/openldap-current/contrib/slapd-modules/passwd/pbkdf2
> /opt/openldap-current/contrib/slapd-modules/passwd/totp/
> ------------
>
> "make test" is runnning without any error.
>
> The setup is running without any error, here my cn=config:
> ------------
> dn: cn=config
> objectClass: olcGlobal
> cn: config
> olcArgsFile: /opt/openldap-current/var/run/slapd.args
> olcLogLevel: sync
> olcLogLevel: stats
> olcLogLevel: stats
> olcPidFile: /opt/openldap-current/var/run/slapd.pid
> olcToolThreads: 1
> olcTLSCertificateFile:
> /opt/openldap-current/etc/my_certificates/ldap25-p01-ce
> rt.pem
> olcTLSCertificateKeyFile:
> /opt/openldap-current/etc/my_certificates/ldap25-p01
> -key.pem
> olcTLSCACertificateFile:
> /opt/openldap-current/etc/my_certificates/cacert.pem
> olcPasswordHash: {TOTP1}
>
> dn: cn=module{0},cn=config
> objectClass: olcModuleList
> cn: module{0}
> olcModulePath:
> /opt/openldap-current/libexec/openldap:/usr/local/libexec/openl
> dap
> olcModuleLoad: {0}back_mdb
> olcModuleLoad: {1}back_monitor
> olcModuleLoad: {2}pw-totp.la
> olcModuleLoad: {3}autoca.la
>
> ... schema....
>
> dn: olcBackend={0}mdb,cn=config
> objectClass: olcBackendConfig
> olcBackend: {0}mdb
>
> dn: olcDatabase={-1}frontend,cn=config
> objectClass: olcDatabaseConfig
> objectClass: olcFrontendConfig
> olcDatabase: {-1}frontend
> olcAccess: {0}to * by
> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=externa
> l,cn=auth manage by
> dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=ex
> ternal,cn=auth manage by * break
> olcAccess: {1}to dn="" by * read
> olcAccess: {2}to dn.base="cn=subschema" by * read
> olcSizeLimit: 500
>
>
> dn: olcDatabase={0}config,cn=config
> objectClass: olcDatabaseConfig
> olcDatabase: {0}config
> olcAccess: {0}to * by
> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=externa
> l,cn=auth manage by
> dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=ex
> ternal,cn=auth manage by
> dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net
> write by * break
> olcRootDN: cn=admin,cn=config
> olcRootPW:
>
>
> dn: olcDatabase={1}monitor,cn=config
> objectClass: olcDatabaseConfig
> olcDatabase: {1}monitor
> olcAccess: {0}to dn.subtree="cn=monitor" by
> dn.exact=cn=admin,cn=config read
> by dn.exact=cn=admin,dc=example,dc=net read
>
> dn: olcDatabase={2}mdb,cn=config
> objectClass: olcDatabaseConfig
> objectClass: olcmdbConfig
> olcDatabase: {2}mdb
> olcDbDirectory: /opt/openldap-current/var/lib/ldap
> olcSuffix: dc=example,dc=net
> olcAccess: {0} to * by
> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
> al,cn=auth manage by
> dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=e
> xternal,cn=auth manage by
> dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net
> write by dn.exact=uid=repl-user,ou=users,dc=example,dc=net read
> by * break
> olcAccess: {1}to dn.exact="" by * read
> olcAccess: {2}to dn.base="cn=subschema" by * read
> olcAccess: {3} to attrs=userPassword by anonymous auth by self write
> by
> * non
> e
> olcLimits: {0} dn.exact="uid=repl-user,ou=users,dc=example,dc=net"
> time=unl
> imited size=unlimited
> olcLimits: {1} dn.exact="uid=ldap-admin,ou=users,dc=example,dc=net"
> time=unlim
> ited size=unlimited
> olcRootDN: cn=admin,dc=example,dc=net
> olcRootPW: {SSHA}D6GKFhWChzpTnTmsxLVqJqTnFm+8fr3K
> olcSizeLimit: unlimited
> olcTimeLimit: unlimited
> olcDbCheckpoint: 512 30
> olcDbIndex: default eq
> olcDbIndex: objectClass
> olcDbIndex: entryUUID
> olcDbIndex: entryCSN
> olcDbIndex: cn pres,eq,sub
> olcDbIndex: uid pres,eq,sub
> olcDbIndex: mail pres,eq,sub
> olcDbIndex: sn pres,eq,sub
> olcDbIndex: description pres,eq,sub
> olcDbIndex: title pres,eq,sub
> olcDbIndex: givenName pres,eq,sub
> olcDbMaxSize: 85899345920
>
> dn: olcOverlay={0}totp,olcDatabase={2}mdb,cn=config
> objectClass: olcOverlayConfig
> olcOverlay: {0}totp
>
> dn: olcOverlay={1}autoca,olcDatabase={2}mdb,cn=config
> objectClass: olcOverlayConfig
> objectClass: olcAutoCAConfig
> olcOverlay: {1}autoca
> olcAutoCAuserKeybits: 4096
> olcAutoCAserverKeybits: 4096
> olcAutoCAKeybits: 4096
> ------------
>
> After a few minutes or if I restart slapd I get the following
> error-message: ---------------------
> Jun 05 15:24:52 ldap25-p01 slapd[16210]: @(#) $OpenLDAP: slapd 2.5.5
> (Jun 5 2021 14:07:21) $
>
> root@ldap25-p01:/opt/openldap-2.5.5/servers/slapd
> Jun 05 15:24:52 ldap25-p01 slapd[16210]: olcPasswordHash: value #0:
> <olcPasswordHash> scheme not available ({TOTP1})
> Jun 05 15:24:52 ldap25-p01 slapd[16210]: olcPasswordHash: value #0:
> <olcPasswordHash> no valid hashes found
> Jun 05 15:24:52 ldap25-p01 slapd[16210]: config error processing
> cn=config: <olcPasswordHash> no valid hashes found
> ---------------------
> I used the documentation from symas for configuring TOTP. What's wrong
> and why is slapd starting after configuration but chrashes when I
> restart slapd?
Have a look at this blog entry. dated 2015.
https://blog.sys4.de/totp-time-based-one-time-password-authentication-en.html
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
pgptsEdCcmeAT.pgp
Description: Digitale Signatur von OpenPGP
