[Date Prev][Date Next]
Using SASL OTP
Anyone has experience using SASL OTP with OpenLDAP?
Here is what I understood so far:
- OTP stuff is stored in SASL auxprop cmusaslsecretOTP, which can be
stored in sasldb or in LDAP.
- If OpenLDAP finds a cmusaslsecretOTP attribute for a user, and if
the OTP plugin is installed both on the client and the server, then
the OTP challenge is presented when requesting the OTP method. That
leaves me with two problems: how to set cmusaslsecretOTP in LDAP?
- if I use salspasswd2, it will store cmusaslsecretOTP in sasldb. I
can copy paste it to the LDAP directory, which is not very satisfying.
- If I install the Cyrus ldapDB plugin and add a sasl2/salspasswd.conf,
it seems I can tell salspasswd2 to write to the directory:
I have not fully investigated, but it seems the thing cannot prompt
for credentials: DN/password must be stored in salspasswd.conf, which
makes multiuser utilization troublesome.
- salspasswd2 calls sasl_setpass(), and a look at OpenLDAP sources
shows that passwd_extop()/slap_sasl_setpass() does the same. That
suggests it is possible to have slapd doing the thing, but how does
it works? In passwd_extop(), slap_sasl_setpass() will only be
called if op-o_bd is NULL. In what situation does it happen?
- And my last problem is to generate OTP. setkey(1) does not seems
to produce something acceptable by SASL OTP. I have to investigate