On 12/11/19 12:31 AM, Quanah Gibson-Mount wrote:
--On Tuesday, December 10, 2019 9:25 AM +0100 Côme Chilliet come.chilliet@fusiondirectory.org wrote:
Le mercredi 4 décembre 2019, 13:28:36 CET Quanah Gibson-Mount a écrit :
Although perhaps this isn't exactly what was being asked for. I.e., the module provides the ability to enable TOTP use with OpenLDAP, whereas perhaps you're looking for a way to store data in LDAP as a backend for a TOTP system?
Yes this is more what I was looking for.
Michael Stroeder controls the schema, from what I understand. He might be able to provide a link to the current version.
Well, in general OATH-LDAP was meant to be used stand-alone with any OpenLDAP server. But up to now I did not have the time to brush things up into a easy-to-use stand-alone package.
So currently you will find things in Æ-DIR's repo because OATH-LDAP is an integral part of it.
Schema:
https://gitlab.com/ae-dir/ansible-ae-dir-server/blob/master/files/schema/oat...
The HOTP validator (external slapd-sock listener) and a simple web app for the enrollment:
https://gitlab.com/ae-dir/ansible-ae-dir-server/tree/master/files/oath-ldap
A pip-installable command-line tool:
https://gitlab.com/oath-ldap/oath-ldap-tool
https://pypi.org/project/oathldap-tool/
Docs mostly contain diagrams, not much text yet:
https://oath-ldap.stroeder.com/docs.html
Note that unlike all other implementations my implementation stores oathSecret values asymmetrically encrypted and only the OTP validator has access to the private key(s) to decrypt the shared secrets (and all the services are confined/sand-boxed with AppArmor).
This strict separation cannot be done with everything implemented in an overlay.
However I'd love to see an overlay implementation which passes all data needed for the crypto operations to an external process over an Unix domain socket. So LDAPI access of hotp_validator.py could be avoided while keeping a strict process separation to protect the master keys.
Ciao, Michael.