[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OTP broken?

To: openldap-technical@openldap.org
Subject: Re: OTP broken?
From: Dieter Klünter <dieter@dkluenter.de>
Date: Fri, 6 Nov 2015 22:53:10 +0100
In-reply-to: <20151106085534.GD26689@homeworld.netbsd.org>
Organization: AVCI
References: <20151106085534.GD26689@homeworld.netbsd.org>

Am Fri, 6 Nov 2015 08:55:34 +0000
schrieb Emmanuel Dreyfus <manu@netbsd.org>:

> Hello
> 
> It seems OTP was broken at some time, I wonder if it is just me (and
> why), or if it is more genral. I have a user with:
> cmusaslsecretOTP: sha1    0499    se2124  xxxxxxxxxxxxxxxx
> 00000000
> 
> slapd.conf contains:
> access to dn.regex="^uid=.+,dc=example,dc=net$" attrs=cmusaslsecretOTP
>     by anonymous auth stop
>     by self write stop
>     by * none stop
> 
> I try:
> $ ldapwhomai -Y OTP -X dn:${user_dn}
> SASL/OTP authentication started
> (delay)
> ldap_sasl_interactive_bind_s: Server is unavailable (52)
>         additional info: SASL(-8): transient failure (e.g., weak
> key): simultaneous OTP authentications not permitted
> 
> This is:
> OpenLDAP 2.4.42
> Cyrusl SASL 2.1.26

If you are referring to sasl-OTP, which requires opiekey, this is still
working, 

https://sys4.de/de/blog/2014/04/15/one-time-password-system-network-based-services/

On the other hand, there is a Time based OTP module in
contrib/slapd-modules/passwd/otpt which is broken, although i use
google authenticator and alternatively sophos authenticator.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Follow-Ups:
- Re: OTP broken?
  - From: Howard Chu <hyc@symas.com>
- Re: OTP broken?
  - From: Michael Ströder <michael@stroeder.com>

References:
- OTP broken?
  - From: Emmanuel Dreyfus <manu@netbsd.org>

Prev by Date: Re: OTP broken?
Next by Date: Re: OTP broken?
Index(es):
- Chronological
- Thread