[Date Prev][Date Next] [Chronological] [Thread] [Top]

Using SASL OTP

To: openldap-software@openldap.org
Subject: Using SASL OTP
From: Emmanuel Dreyfus <manu@netbsd.org>
Date: Fri, 4 Sep 2009 10:34:33 +0000
Content-disposition: inline
User-agent: Mutt/1.5.18 (2008-05-17)

Hello

Anyone has experience using SASL OTP with OpenLDAP? 

Here is what I understood so far:

- OTP stuff is stored in SASL auxprop cmusaslsecretOTP, which can be
stored in sasldb or in LDAP. 

- If OpenLDAP finds a cmusaslsecretOTP attribute for a user, and if
the OTP plugin is installed both on the client and the server, then 
the OTP challenge is presented when requesting the OTP method. That
leaves me with two problems: how to set cmusaslsecretOTP in LDAP?

- if I use salspasswd2, it will store cmusaslsecretOTP in sasldb. I 
can copy paste it to the LDAP directory, which is not very satisfying.

- If I install the Cyrus ldapDB plugin and add a sasl2/salspasswd.conf,
it seems I can tell salspasswd2 to write to the directory:
ldapdb_uri: ldaps://ldap.example.com

I have not fully investigated, but it seems the thing cannot prompt
for credentials: DN/password must be stored in salspasswd.conf, which
makes multiuser utilization troublesome. 

- salspasswd2 calls sasl_setpass(), and a look at OpenLDAP sources
shows that passwd_extop()/slap_sasl_setpass() does the same. That
suggests it is possible to have slapd doing the thing, but how does
it works? In passwd_extop(), slap_sasl_setpass() will only be
called if op-o_bd is NULL. In what situation does it happen?

- And my last problem is to generate OTP. setkey(1) does not seems
to produce something acceptable by SASL OTP. I  have to investigate
further.

-- 
Emmanuel Dreyfus
manu@netbsd.org

Follow-Ups:
- Re: Using SASL OTP
  - From: Dan White <dwhite@olp.net>

Prev by Date: ACL problem in slapd.conf
Next by Date: Re: ACL problem in slapd.conf
Index(es):
- Chronological
- Thread