Hello Dieter, I think I read everything I could find, also your posting :-). The only thing I did not not set is "security ssf=1" but I think that has nothing to do with my error message. What I don't understand is why can I set the option olcPasswordHash without an error, but as soon as I try to do anything or restart slapd, the slapd chrashes.
Am 06.06.21 um 11:01 schrieb Dieter Klünter:
> Am Sat, 5 Jun 2021 15:27:40 +0200
> schrieb Stefan Kania <ste...@kania-online.de>:
>
>> Hello,
>>
>> I try to set up TOTP1 and TOTP1ANDPW as passworthash. I use Debian 10
>> with Kernel 5.9 from the backports. As OpenLDAP I use 2.5.5. I set up
>> everything via Ansible. My configure-options are:
>> -------------
>> ./configure --with-cyrus-sasl --with-tls=openssl --enable-overlays=mod
>> --enable-backends=mod --disable-perl --disable-ndb --enable-crypt
>> --enable-modules --enable-dynamic --enable-syslog --enable-debug
>> --enable-local --enable-spasswd --disable-sq l
>> --prefix=/opt/openldap-current
>> -------------
>>
>> In addition I build:
>> ------------
>> /opt/openldap-current/contrib/slapd-modules/passwd/sha2
>> /opt/openldap-current/contrib/slapd-modules/passwd/pbkdf2
>> /opt/openldap-current/contrib/slapd-modules/passwd/totp/
>> ------------
>>
>> "make test" is runnning without any error.
>>
>> The setup is running without any error, here my cn=config:
>> ------------
>> dn: cn=config
>> objectClass: olcGlobal
>> cn: config
>> olcArgsFile: /opt/openldap-current/var/run/slapd.args
>> olcLogLevel: sync
>> olcLogLevel: stats
>> olcLogLevel: stats
>> olcPidFile: /opt/openldap-current/var/run/slapd.pid
>> olcToolThreads: 1
>> olcTLSCertificateFile:
>> /opt/openldap-current/etc/my_certificates/ldap25-p01-ce
>> rt.pem
>> olcTLSCertificateKeyFile:
>> /opt/openldap-current/etc/my_certificates/ldap25-p01
>> -key.pem
>> olcTLSCACertificateFile:
>> /opt/openldap-current/etc/my_certificates/cacert.pem
>> olcPasswordHash: {TOTP1}
>>
>> dn: cn=module{0},cn=config
>> objectClass: olcModuleList
>> cn: module{0}
>> olcModulePath:
>> /opt/openldap-current/libexec/openldap:/usr/local/libexec/openl
>> dap
>> olcModuleLoad: {0}back_mdb
>> olcModuleLoad: {1}back_monitor
>> olcModuleLoad: {2}pw-totp.la
>> olcModuleLoad: {3}autoca.la
>>
>> ... schema....
>>
>> dn: olcBackend={0}mdb,cn=config
>> objectClass: olcBackendConfig
>> olcBackend: {0}mdb
>>
>> dn: olcDatabase={-1}frontend,cn=config
>> objectClass: olcDatabaseConfig
>> objectClass: olcFrontendConfig
>> olcDatabase: {-1}frontend
>> olcAccess: {0}to * by
>> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=externa
>> l,cn=auth manage by
>> dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=ex
>> ternal,cn=auth manage by * break
>> olcAccess: {1}to dn="" by * read
>> olcAccess: {2}to dn.base="cn=subschema" by * read
>> olcSizeLimit: 500
>>
>>
>> dn: olcDatabase={0}config,cn=config
>> objectClass: olcDatabaseConfig
>> olcDatabase: {0}config
>> olcAccess: {0}to * by
>> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=externa
>> l,cn=auth manage by
>> dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=ex
>> ternal,cn=auth manage by
>> dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net
>> write by * break
>> olcRootDN: cn=admin,cn=config
>> olcRootPW:
>>
>>
>> dn: olcDatabase={1}monitor,cn=config
>> objectClass: olcDatabaseConfig
>> olcDatabase: {1}monitor
>> olcAccess: {0}to dn.subtree="cn=monitor" by
>> dn.exact=cn=admin,cn=config read
>> by dn.exact=cn=admin,dc=example,dc=net read
>>
>> dn: olcDatabase={2}mdb,cn=config
>> objectClass: olcDatabaseConfig
>> objectClass: olcmdbConfig
>> olcDatabase: {2}mdb
>> olcDbDirectory: /opt/openldap-current/var/lib/ldap
>> olcSuffix: dc=example,dc=net
>> olcAccess: {0} to * by
>> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
>> al,cn=auth manage by
>> dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=e
>> xternal,cn=auth manage by
>> dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net
>> write by dn.exact=uid=repl-user,ou=users,dc=example,dc=net read
>> by * break
>> olcAccess: {1}to dn.exact="" by * read
>> olcAccess: {2}to dn.base="cn=subschema" by * read
>> olcAccess: {3} to attrs=userPassword by anonymous auth by self write
>> by
>> * non
>> e
>> olcLimits: {0} dn.exact="uid=repl-user,ou=users,dc=example,dc=net"
>> time=unl
>> imited size=unlimited
>> olcLimits: {1} dn.exact="uid=ldap-admin,ou=users,dc=example,dc=net"
>> time=unlim
>> ited size=unlimited
>> olcRootDN: cn=admin,dc=example,dc=net
>> olcRootPW: {SSHA}D6GKFhWChzpTnTmsxLVqJqTnFm+8fr3K
>> olcSizeLimit: unlimited
>> olcTimeLimit: unlimited
>> olcDbCheckpoint: 512 30
>> olcDbIndex: default eq
>> olcDbIndex: objectClass
>> olcDbIndex: entryUUID
>> olcDbIndex: entryCSN
>> olcDbIndex: cn pres,eq,sub
>> olcDbIndex: uid pres,eq,sub
>> olcDbIndex: mail pres,eq,sub
>> olcDbIndex: sn pres,eq,sub
>> olcDbIndex: description pres,eq,sub
>> olcDbIndex: title pres,eq,sub
>> olcDbIndex: givenName pres,eq,sub
>> olcDbMaxSize: 85899345920
>>
>> dn: olcOverlay={0}totp,olcDatabase={2}mdb,cn=config
>> objectClass: olcOverlayConfig
>> olcOverlay: {0}totp
>>
>> dn: olcOverlay={1}autoca,olcDatabase={2}mdb,cn=config
>> objectClass: olcOverlayConfig
>> objectClass: olcAutoCAConfig
>> olcOverlay: {1}autoca
>> olcAutoCAuserKeybits: 4096
>> olcAutoCAserverKeybits: 4096
>> olcAutoCAKeybits: 4096
>> ------------
>>
>> After a few minutes or if I restart slapd I get the following
>> error-message: ---------------------
>> Jun 05 15:24:52 ldap25-p01 slapd[16210]: @(#) $OpenLDAP: slapd 2.5.5
>> (Jun 5 2021 14:07:21) $
>>
>> root@ldap25-p01:/opt/openldap-2.5.5/servers/slapd
>> Jun 05 15:24:52 ldap25-p01 slapd[16210]: olcPasswordHash: value #0:
>> <olcPasswordHash> scheme not available ({TOTP1})
>> Jun 05 15:24:52 ldap25-p01 slapd[16210]: olcPasswordHash: value #0:
>> <olcPasswordHash> no valid hashes found
>> Jun 05 15:24:52 ldap25-p01 slapd[16210]: config error processing
>> cn=config: <olcPasswordHash> no valid hashes found
>> ---------------------
>> I used the documentation from symas for configuring TOTP. What's wrong
>> and why is slapd starting after configuration but chrashes when I
>> restart slapd?
>
> Have a look at this blog entry. dated 2015.
> https://blog.sys4.de/totp-time-based-one-time-password-authentication-en.html
>
> -Dieter
>
>
--
Stefan Kania
Landweg 13
25693 St. Michaelisdonn
Signieren jeder E-Mail hilft Spam zu reduzieren und schützt Ihre
Privatsphäre. Ein kostenfreies Zertifikat erhalten Sie unter
https://www.dgn.de/dgncert/index.html
smime.p7s
Description: S/MIME Cryptographic Signature
