Hi
Does OpenLDAP support use of one time passwords or 2FA for the Manager account?
Thanks Doug
Douglas Duckworth wrote:
Does OpenLDAP support use of one time passwords or 2FA for the Manager account?
There are several solutions:
1. contrib/slapd-modules/passwd/totp/ A proof of concept overlay which AFAICS replaces checking a normal password by checking a generated TOTP value. So not really 2FA.
2. OATH HOTP LDAP Plugin by cargosoft.ru Sorry, I only found a Russian site: http://cargosoft.ru/ru/rm/113/115 I never checked this myself anyway and therefore can't comment.
3. OATH-LDAP Most flexible solution but hard to setup, especially since not fully documented yet. It's currently directly integrated into Æ-DIR but could be used stand-alone. Being the author I'm biased of course.
Ciao, Michael.
On Tue, May 15, 2018 at 07:06:41PM +0200, Michael Ströder wrote:
Douglas Duckworth wrote:
Does OpenLDAP support use of one time passwords or 2FA for the Manager account?
There are several solutions:
- contrib/slapd-modules/passwd/totp/
A proof of concept overlay which AFAICS replaces checking a normal password by checking a generated TOTP value. So not really 2FA.
We have been looking into how to best make it an actual 2FA solution, though.
- OATH HOTP LDAP Plugin by cargosoft.ru
Sorry, I only found a Russian site: http://cargosoft.ru/ru/rm/113/115 I never checked this myself anyway and therefore can't comment.
- OATH-LDAP
Most flexible solution but hard to setup, especially since not fully documented yet. It's currently directly integrated into Æ-DIR but could be used stand-alone. Being the author I'm biased of course.
Ondřej Kuzník wrote:
On Tue, May 15, 2018 at 07:06:41PM +0200, Michael Ströder wrote:
Douglas Duckworth wrote:
Does OpenLDAP support use of one time passwords or 2FA for the Manager account?
There are several solutions:
- contrib/slapd-modules/passwd/totp/
A proof of concept overlay which AFAICS replaces checking a normal password by checking a generated TOTP value. So not really 2FA.
We have been looking into how to best make it an actual 2FA solution, though.
Did you consider to use OATH-LDAP's schema? That's the most flexible way of doing it which is appreciated.
Furthermore I'm very paranoid regarding security of shared secrets. In current OATH-LDAP they are asymmetrically encrypted with only an *external* component having access to the private key(s).
It would be nice to join forces developing something which is more integrated with OpenLDAP though.
Ciao, Michael.
Hi Michael,
Thanks for this summary, to which I can only add the english page of the Russian activity:
http://cargosoft.ru/en/rm/118/119
Cheers,
Peter
Am 15.05.2018 um 19:06 schrieb Michael Ströder:
Douglas Duckworth wrote:
Does OpenLDAP support use of one time passwords or 2FA for the Manager account?
There are several solutions:
- contrib/slapd-modules/passwd/totp/
A proof of concept overlay which AFAICS replaces checking a normal password by checking a generated TOTP value. So not really 2FA.
- OATH HOTP LDAP Plugin by cargosoft.ru
Sorry, I only found a Russian site: http://cargosoft.ru/ru/rm/113/115 I never checked this myself anyway and therefore can't comment.
- OATH-LDAP
Most flexible solution but hard to setup, especially since not fully documented yet. It's currently directly integrated into Æ-DIR but could be used stand-alone. Being the author I'm biased of course.
Ciao, Michael.
I too have been wondering about TOTP with openldap but always found it hard to find documentation on it. Any chance to have this documented? Dont see it in the site
Regards, dave
On Wed, May 16, 2018 at 7:23 AM Peter peter.gietz@daasi.de wrote:
Hi Michael,
Thanks for this summary, to which I can only add the english page of the Russian activity:
http://cargosoft.ru/en/rm/118/119
Cheers,
Peter
Am 15.05.2018 um 19:06 schrieb Michael Ströder:
Douglas Duckworth wrote:
Does OpenLDAP support use of one time passwords or 2FA for the Manager account?
There are several solutions:
- contrib/slapd-modules/passwd/totp/
A proof of concept overlay which AFAICS replaces checking a normal password by checking a generated TOTP value. So not really 2FA.
- OATH HOTP LDAP Plugin by cargosoft.ru
Sorry, I only found a Russian site: http://cargosoft.ru/ru/rm/113/115 I never checked this myself anyway and therefore can't comment.
- OATH-LDAP
Most flexible solution but hard to setup, especially since not fully documented yet. It's currently directly integrated into Æ-DIR but could be used stand-alone. Being the author I'm biased of course.
Ciao, Michael.
-- _______________________________________________________________________
Peter Gietz (CEO) DAASI International GmbH phone: +49 7071 407109-0 Europaplatz 3 Fax: +49 7071 407109-9 D-72072 Tübingen mail: peter.gietz@daasi.de Germany Web: www.daasi.de
DAASI International GmbH, Tübingen Geschäftsführer Peter Gietz, Amtsgericht Stuttgart HRB 382175
Directory Applications for Advanced Security and Information Management _______________________________________________________________________
Dave Macias wrote:
I too have been wondering about TOTP with openldap but always found it hard to find documentation on it. Any chance to have this documented? Dont see it in the site
Which of the three solutions / sites do you mean?
Ciao, Michael.
On Wed, May 16, 2018 at 7:23 AM Peter <peter.gietz@daasi.de mailto:peter.gietz@daasi.de> wrote:
Hi Michael, Thanks for this summary, to which I can only add the english page of the Russian activity: http://cargosoft.ru/en/rm/118/119 Cheers, Peter Am 15.05.2018 um 19:06 schrieb Michael Ströder: > Douglas Duckworth wrote: >> Does OpenLDAP support use of one time passwords or 2FA for the Manager >> account? > > There are several solutions: > > 1. contrib/slapd-modules/passwd/totp/ > A proof of concept overlay which AFAICS replaces checking a normal > password by checking a generated TOTP value. So not really 2FA. > > 2. OATH HOTP LDAP Plugin by cargosoft.ru <http://cargosoft.ru> > Sorry, I only found a Russian site: http://cargosoft.ru/ru/rm/113/115 > I never checked this myself anyway and therefore can't comment. > > 3. OATH-LDAP > Most flexible solution but hard to setup, especially since not fully > documented yet. It's currently directly integrated into Æ-DIR but > could be used stand-alone. Being the author I'm biased of course. > > Ciao, Michael.
Thank you for the reply Michael,
This one in: 3. OATH-LDAP
But in general just want to test a way to add OTP to openldap, which ever works
-dave
On Wed, May 16, 2018 at 9:25 AM Michael Ströder michael@stroeder.com wrote:
Dave Macias wrote:
I too have been wondering about TOTP with openldap but always found it hard to find documentation on it. Any chance to have this documented? Dont see it in the site
Which of the three solutions / sites do you mean?
Ciao, Michael.
On Wed, May 16, 2018 at 7:23 AM Peter <peter.gietz@daasi.de mailto:peter.gietz@daasi.de> wrote:
Hi Michael, Thanks for this summary, to which I can only add the english page of the Russian activity: http://cargosoft.ru/en/rm/118/119 Cheers, Peter Am 15.05.2018 um 19:06 schrieb Michael Ströder: > Douglas Duckworth wrote: >> Does OpenLDAP support use of one time passwords or 2FA for the Manager >> account? > > There are several solutions: > > 1. contrib/slapd-modules/passwd/totp/ > A proof of concept overlay which AFAICS replaces checking a normal > password by checking a generated TOTP value. So not really 2FA. > > 2. OATH HOTP LDAP Plugin by cargosoft.ru <http://cargosoft.ru> > Sorry, I only found a Russian site:http://cargosoft.ru/ru/rm/113/115
> I never checked this myself anyway and therefore can't comment. > > 3. OATH-LDAP > Most flexible solution but hard to setup, especially since notfully
> documented yet. It's currently directly integrated into Æ-DIR but > could be used stand-alone. Being the author I'm biased of course. > > Ciao, Michael.
Sorry, looks like i got a bit confused
So, 2FA not just plain OTP. So password+OTP is what im looking for.
On Thu, May 17, 2018 at 10:52 AM Dave Macias davama@gmail.com wrote:
Thank you for the reply Michael,
This one in: 3. OATH-LDAP
But in general just want to test a way to add OTP to openldap, which ever works
-dave
On Wed, May 16, 2018 at 9:25 AM Michael Ströder michael@stroeder.com wrote:
Dave Macias wrote:
I too have been wondering about TOTP with openldap but always found it hard to find documentation on it. Any chance to have this documented? Dont see it in the site
Which of the three solutions / sites do you mean?
Ciao, Michael.
On Wed, May 16, 2018 at 7:23 AM Peter <peter.gietz@daasi.de mailto:peter.gietz@daasi.de> wrote:
Hi Michael, Thanks for this summary, to which I can only add the english page of the Russian activity: http://cargosoft.ru/en/rm/118/119 Cheers, Peter Am 15.05.2018 um 19:06 schrieb Michael Ströder: > Douglas Duckworth wrote: >> Does OpenLDAP support use of one time passwords or 2FA for the Manager >> account? > > There are several solutions: > > 1. contrib/slapd-modules/passwd/totp/ > A proof of concept overlay which AFAICS replaces checking a normal > password by checking a generated TOTP value. So not really 2FA. > > 2. OATH HOTP LDAP Plugin by cargosoft.ru <http://cargosoft.ru> > Sorry, I only found a Russian site:http://cargosoft.ru/ru/rm/113/115
> I never checked this myself anyway and therefore can't comment. > > 3. OATH-LDAP > Most flexible solution but hard to setup, especially since notfully
> documented yet. It's currently directly integrated into Æ-DIR but > could be used stand-alone. Being the author I'm biased of course. > > Ciao, Michael.
Am Wed, 16 May 2018 08:24:06 -0400 schrieb Dave Macias davama@gmail.com:
I too have been wondering about TOTP with openldap but always found it hard to find documentation on it. Any chance to have this documented? Dont see it in the site
[...]
I have written an article an TOTP https://blog.sys4.de/totp-time-based-one-time-password-authentication-en.htm...
-Dieter
Am 15.05.2018 um 19:06 schrieb Michael Ströder:
Douglas Duckworth wrote:
Does OpenLDAP support use of one time passwords or 2FA for the Manager account?
There are several solutions:
- contrib/slapd-modules/passwd/totp/
A proof of concept overlay which AFAICS replaces checking a normal password by checking a generated TOTP value. So not really 2FA.
But certainly OTP, which is part of the original question. Unfortunately Google Authenticator only uses 6 digits. With a longer input, OTP is sufficiently strong for most authentication purposes all by itself, no need for a 2nd factor. (See S/Key, OPIE)
- OATH HOTP LDAP Plugin by cargosoft.ru
Sorry, I only found a Russian site: http://cargosoft.ru/ru/rm/113/115 I never checked this myself anyway and therefore can't comment.
- OATH-LDAP
Most flexible solution but hard to setup, especially since not fully documented yet. It's currently directly integrated into Æ-DIR but could be used stand-alone. Being the author I'm biased of course.
Ciao, Michael.
Howard Chu wrote:
Am 15.05.2018 um 19:06 schrieb Michael Ströder:
Douglas Duckworth wrote:
Does OpenLDAP support use of one time passwords or 2FA for the Manager account?
There are several solutions:
- contrib/slapd-modules/passwd/totp/
A proof of concept overlay which AFAICS replaces checking a normal password by checking a generated TOTP value. So not really 2FA.
But certainly OTP, which is part of the original question. Unfortunately Google Authenticator only uses 6 digits. With a longer input, OTP is sufficiently strong for most authentication purposes all by itself, no need for a 2nd factor. (See S/Key, OPIE)
I strongly disagree: If the shared secret (or token) gets lost / stolen there's no more authentication. I'd never use OTP alone.
Ciao, Michael.
openldap-technical@openldap.org
-
Dave Macias -
Dieter Klünter -
Douglas Duckworth -
Howard Chu -
Michael Ströder -
Ondřej Kuzník -
Peter