https://bugs.openldap.org/show_bug.cgi?id=10169
Issue ID: 10169 Summary: Add support for token only authentication with otp overlay Product: OpenLDAP Version: 2.6.6 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs@openldap.org Reporter: quanah@openldap.org Target Milestone: ---
Currently the OTP overlay is password + token. It would be nice to be able to configure it so it can run in a token only mode, similar to the slapo-totp overlay in contrib. This would allow us to have a project supported solution and retire that contrib module.
https://bugs.openldap.org/show_bug.cgi?id=10169
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.7.0 Keywords|needs_review |
https://bugs.openldap.org/show_bug.cgi?id=10169
--- Comment #1 from Ondřej Kuzník ondra@mistotebe.net --- Maybe the overlay could intercept a Compare against the oathH/TOTPToken but not sure we should react to a missing userPassword differently. Concerned some security would be compromised, people might be able to set an empty userpassword if they really want this? Might not be a good idea for SASL binds on the other hand so probably not.
https://bugs.openldap.org/show_bug.cgi?id=10169
--- Comment #2 from Bastian bastian-bugopenldap21@t6l.de --- Thanks for you comment. I'd like to add, that our site would be very interested in this feature. Currently, we rely on the pw-totp module from contrib. And we would be very happy to convert to the supported overlay.
In our case it's a core element of the design, that there is no keyboard-interactive userPassword available during authentication. The 1FA is done by sshd pubkey authentication. The 2FA is a subsequent PAM module which does an ldap bind call against the entries beneath ou=totp.
Picking up your thought about an empty userPassword: Maybe it is possible to introduce a password schema like `{OTPONLY}` to selectively set entries in the otp only authentication mode.
https://bugs.openldap.org/show_bug.cgi?id=10169
--- Comment #3 from Bastian Tweddell bastian-bugopenldap21@t6l.de --- We are still using contrib/pw-totp. And today it bit us again with:
``` slapd[2970]: Entry (...,ou=jsc,dc=fz-juelich,dc=de), attribute 'authTimestamp' cannot have multiple values slapd[2970]: entry failed schema check: attribute 'authTimestamp' cannot have multiple values slapd[2970]: conn=6302 op=0 RESULT tag=97 err=49 qtime=0.000007 etime=0.000330 text= ```
This DB is a replica which will be re-synched from scratch to get rid of those extra attributes.
I'd like to ask again if it would be deemed possible at all to implement an OTP-only authentication for bind with the slapo-otp overlay? TIA
https://bugs.openldap.org/show_bug.cgi?id=10169
--- Comment #4 from Ondřej Kuzník ondra@mistotebe.net --- Hi Bastian, what do you think about my suggestion to allow a Compare against "oathSecret" to process the same OTP check logic? I'm definitely uncomfortable with Binds against it (where you can just keep the other overlay).
https://bugs.openldap.org/show_bug.cgi?id=10169
Ondřej Kuzník ondra@mistotebe.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |IN_PROGRESS Assignee|bugs@openldap.org |ondra@mistotebe.net Ever confirmed|0 |1
--- Comment #5 from Ondřej Kuzník ondra@mistotebe.net ---
what do you think about my suggestion to allow a Compare against "oathSecret" to process the same OTP check logic?
I've drafted the above suggestion here: https://git.openldap.org/openldap/openldap/-/merge_requests/755
Please have a look and let me know if that covers the use cases you are interested in.
https://bugs.openldap.org/show_bug.cgi?id=10169
--- Comment #6 from Bastian Tweddell bastian-bugopenldap21@t6l.de --- Hi Ondřej, thank you very much for your suggestion to use the compare operation and your draft implementation. I think that in the long run, this would indeed be a solution we can implement at our site. I need to respawn my test system to give it a go.
-
openldap-its@openldap.org