[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OTP broken?



Dieter Klünter wrote:
Am Fri, 6 Nov 2015 08:55:34 +0000
schrieb Emmanuel Dreyfus <manu@netbsd.org>:

Hello

It seems OTP was broken at some time, I wonder if it is just me (and
why), or if it is more genral. I have a user with:
cmusaslsecretOTP: sha1    0499    se2124  xxxxxxxxxxxxxxxx
00000000

slapd.conf contains:
access to dn.regex="^uid=.+,dc=example,dc=net$" attrs=cmusaslsecretOTP
     by anonymous auth stop
     by self write stop
     by * none stop

I try:
$ ldapwhomai -Y OTP -X dn:${user_dn}
SASL/OTP authentication started
(delay)
ldap_sasl_interactive_bind_s: Server is unavailable (52)
         additional info: SASL(-8): transient failure (e.g., weak
key): simultaneous OTP authentications not permitted

This is:
OpenLDAP 2.4.42
Cyrusl SASL 2.1.26

If you are referring to sasl-OTP, which requires opiekey, this is still
working,

https://sys4.de/de/blog/2014/04/15/one-time-password-system-network-based-services/

On the other hand, there is a Time based OTP module in
contrib/slapd-modules/passwd/otpt which is broken, although i use
google authenticator and alternatively sophos authenticator.

The passwd/totp module is a slapd password-hash mechanism and has nothing to do with SASL. It also works perfectly with google authenticator, what makes you say it's broken?

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/