[Solved] LDAP + TOTP authentication failure

[mimugmail]

When you use LDAP without encryption and via console you do a:

tcpdump port 389 -n -i vmxX -X

Then you can see your password in cleartext and if it only is the password.

[CraigS]

So it looks like the ldap query is not sent when totp is used.

Nothing in the packet capture.

[mimugmail]

Can you try with IP instead of FQDN and plain 389?

[CraigS]

It still gives the same error, and no ldap query on tcpdump.

No problems without totp.

Could the ldap function that splits the password and totp be the issue?

[CraigS]

Reset all to defaults, configured just a ldap server + totp with same results.

Reverted snapshot and updated to 20.7 with same results as before...

[mimugmail]

This is really crazy. Can you install 20.1 without any patches and try again?

[CraigS]

Apologies mimugmail, my computer blew cpu or motherboard this morning, or I would have tested sooner.

Following your advice:

1. installed fresh 20.1-amd64 from iso on vmware esxi using freebsd 11 template

2. assigned ip addresses - wan + lan (not accessible from internet)

3. assigned port 4443 for admin portal (otherwise it clashes with ssl vpn) and set authentication servers as all local and ldap servers under System -> Settings -> Administration

4. added ldap cleartext server + authenticate successfully with Tester

5. imported 1x user (me), generated qr code and added to google authenticator

6. added ldap + totp cleartext server + authentication failed with Tester

No other modifications done at all.
OPNsense 20.1-amd64
FreeBSD 11.2-RELEASE-p16-HBSD
OpenSSL 1.1.1d 10 Sep 2019

[mimugmail]

No, you first add LDAP+totp server and AFTER this you import and create OTP token in user

[CraigS]

I did not know the totp server must first be created before creating the qr codes.

I deleted the imported ldap user, re-saved the ldap+totp server (changed code position back to front), then imported user, created qr code, and tested.

Still auth failure.

We use Novell/Microfocus e-Directory for ldap in case it makes a difference...

OpenLDAP template gives the same result.

[CraigS]

Another test:

1. deleted the ldap-totp server and the imported ldap user.

2. created ldap+totp server

3. imported user

4. generated new secret

5. added qr code to google auth

6. auth fails in tester as before

[CraigS]

mimugmail,

what opnsense version do you use with ldap+totp?

Perhaps I can try re-create your setup?

[mimugmail]

Like I said in github, I now successfully conntected on 21.1a and 20.1.6, the reason was a time difference of two minutes while grace period is one minute.

For the archives: When you use ldap+totp and you dont see LDAP traffic, your OTP verification already failed.

[CraigS]

I have confirmed that the vpn server and my mobile with authenticator is 2 second out according to https://time.is/ and our VMWare administrator confirmed that the physical host time is also correct.

So I start again. Just to confirm the sequence:

1. Install opnsense 20.1 and set ip addresses

2. Configure ldap+totp server

3. Import ldap user and create qr code

4. use Tester to verify login.

[mimugmail]

Yep, so better tick reverse order to put the token OTP behind the AD password

[CraigS]

Installed clean 20.1 - same issue.

If totp was the problem would local+totp not also be broken?