Question: Convert secret from ${HOME}/.goggle-authenticator to OpenLDAP slapo-otp format

[Cistoge]

Hello,

at our site, we have been using OpenLDAP authentication for quite a time; some weeks ago, we added ${HOME}/.goggle-authenticato as a second factor. This week, I read that OpenLDAP 2.5 itself supports google-authenticator-like TOTP secrets, so that a user's secret can be stored in LDAP instead of on disk.

I made this work with a 20 bytes secret created by openssl, but I was not able to transfer an already existing 16 bytes secret from ${HOME}/.goggle-authenticator to OpenLDAP. I generated the OpenLDAP TOTP secret like this, using the base32 binary from goggle-authenticator-libpam:

base32 -D <secret> | base64

This worked without error, but after creating a correspondig ldif and using it with ldapmodify, I could not login on one of the LDAP clients ...

Can anyone help?

Regards
Christoph

[flowers9]

This project only uses a 16 byte secret, whereas openldap's (correctly) uses a 20 byte secret. So, secrets aren't transferrable between them.

Edit: Actually, that's not quite true. Secrets created by this project are 16 byte, but if you put a longer secret into the file it should work fine. So, secrets from this can't be used anywhere else that wants a 20 byte secret (like openldap's totp overlay), but you should be able to take 20 byte secrets stored elsewhere and use them here.