I have been working on an OpenLDAP Self Registration/Password Reset Portal in Go that I will be releasing under a BSD license. Its still very much embryonic but if you are interested in taking an early look, please let me know. I'd love to get feedback on it.
Kind regards, Killian
I would a modern replacement for PWM....
On Jan 29, 2025, at 9:28 AM, killian.greig@gmail.com wrote:
I have been working on an OpenLDAP Self Registration/Password Reset Portal in Go that I will be releasing under a BSD license. Its still very much embryonic but if you are interested in taking an early look, please let me know. I'd love to get feedback on it.
Kind regards, Killian
I am working since a long time on LTB Self Service Password: https://github.com/ltb-project/self-service-password/
It is written in PHP and wortks with OpenLDAP and other LDAP directories
We don't hae yet the self registration feature, but it is available in LemonLDAP::NG, another product on which I work: https://lemonldap-ng.org/documentation/latest/register.html
We also have a user creation workflow in the roadmap of LTB Service Desk: https://github.com/ltb-project/service-desk/issues/59
Any help is welcome!
Clément.
Le ven. 31 janv. 2025 à 00:10, ogg@sr375.com a écrit :
I would a modern replacement for PWM....
On Jan 29, 2025, at 9:28 AM, killian.greig@gmail.com wrote:
I have been working on an OpenLDAP Self Registration/Password Reset
Portal in Go that I will be releasing under a BSD license. Its still very much embryonic but if you are interested in taking an early look, please let me know. I'd love to get feedback on it.
Kind regards, Killian
would like to avoid php as much as possible. just a personal choice
On Jan 31, 2025, at 8:16 AM, Clément OUDOT clem.oudot@gmail.com wrote:
I am working since a long time on LTB Self Service Password: https://github.com/ltb-project/self-service-password/
It is written in PHP and wortks with OpenLDAP and other LDAP directories
We don't hae yet the self registration feature, but it is available in LemonLDAP::NG, another product on which I work: https://lemonldap-ng.org/documentation/latest/register.html
We also have a user creation workflow in the roadmap of LTB Service Desk: https://github.com/ltb-project/service-desk/issues/59
Any help is welcome!
Clément.
Le ven. 31 janv. 2025 à 00:10, <ogg@sr375.com mailto:ogg@sr375.com> a écrit :
I would a modern replacement for PWM....
On Jan 29, 2025, at 9:28 AM, killian.greig@gmail.com mailto:killian.greig@gmail.com wrote:
I have been working on an OpenLDAP Self Registration/Password Reset Portal in Go that I will be releasing under a BSD license. Its still very much embryonic but if you are interested in taking an early look, please let me know. I'd love to get feedback on it.
Kind regards, Killian
Is it a CGI script, or is it more like a standalone web server, or is it completely different? Maybe present some README here 😉
Kind regards, Ulrich Windl
-----Original Message----- From: killian.greig@gmail.com killian.greig@gmail.com Sent: Wednesday, January 29, 2025 6:29 PM To: openldap-technical@openldap.org Subject: [EXT] OpenLDAP Self Registration/Password Reset Portal
I have been working on an OpenLDAP Self Registration/Password Reset Portal in Go that I will be releasing under a BSD license. Its still very much embryonic but if you are interested in taking an early look, please let me know. I'd love to get feedback on it.
Kind regards, Killian
It is a web server written in Go
On Mon, 2025-02-03 at 13:29 +0000, Windl, Ulrich wrote:
Is it a CGI script, or is it more like a standalone web server, or is it completely different? Maybe present some README here 😉
Kind regards, Ulrich Windl
-----Original Message----- From: killian.greig@gmail.com killian.greig@gmail.com Sent: Wednesday, January 29, 2025 6:29 PM To: openldap-technical@openldap.org Subject: [EXT] OpenLDAP Self Registration/Password Reset Portal
I have been working on an OpenLDAP Self Registration/Password Reset Portal in Go that I will be releasing under a BSD license. Its still very much embryonic but if you are interested in taking an early look, please let me know. I'd love to get feedback on it.
Kind regards, Killian
Hello,
so far, I used libpam-google-authenticator as a second factor for two-factor-authentication, the first factor is OpenLDAP.
Now, I read that OpenLDAP supports google-authenticator-like authentication directly - but I do not want to create new 2FA-secrets.
So:
Is it possible to convert the secret from ${HOME}/.google_authenticator to OpenLDAP format?
Regards Christoph
On Tue, Feb 04, 2025 at 04:38:23PM +0100, Christoph Pleger wrote:
Hello,
so far, I used libpam-google-authenticator as a second factor for two-factor-authentication, the first factor is OpenLDAP.
Now, I read that OpenLDAP supports google-authenticator-like authentication directly - but I do not want to create new 2FA-secrets.
So:
Is it possible to convert the secret from ${HOME}/.google_authenticator to OpenLDAP format?
Hi Christoph, yes, should be possible to use the otp overlay for this: https://openldap.org/software/man.cgi?query=slapo-otp
You can look at test080/081 in the OpenLDAP test suite on how to set it up or there's also a Symas KB article[0] you can follow. https://kb.symas.com/configure-time-based-one-time-passwords-totp.html
Regards,
Hello,
so far, I used libpam-google-authenticator as a second factor for two-factor-authentication, the first factor is OpenLDAP.
Now, I read that OpenLDAP supports google-authenticator-like authentication directly - but I do not want to create new 2FA-secrets.
So:
Is it possible to convert the secret from ${HOME}/.google_authenticator to OpenLDAP format?
Regards Christoph
On 05Feb25 12:11+0100, Christoph Pleger wrote:
So:
Is it possible to convert the secret from ${HOME}/.google_authenticator to OpenLDAP format?
To my knowledge, the secret is a binary blob encoded in base64 or sometimes base32. So, yes, it would be possible. Keep in mind to set the default parameters of google-authenticator also in the slapo-otp configs (SHA1, 30s timewindow, etc)
Which db overlay are you going to use? There are two in the openldap-distribution; one in the maintained branch (slapo-otp) and the other one in the contrib/ branch (pw-totp.so)
I'm currently using the second module from the contrib branch because we've set up a dedicated TOTP verification slapd that only verifies TOTP after the user has already authenticated with the first factor.
Unfortunately, the slapo-otp module doesn't quite fit our needs, as it requires a password as the first factor and then sends both the password and TOTP token together in one LDAP bind call. This doesn't work for us since our first factor is SSH public key authentication.
I did want to mention that there's a pending feature request that would allow the maintained module (slapo-otp) to verify TOTP only, which would be a huge help [1]. I thought I'd bring it up here in case any OpenLDAP developers might be willing to take another look :)
1: https://bugs.openldap.org/show_bug.cgi?id=10169
Happy to hear any updates how you succeeded.
Cheers,
Hello,
To my knowledge, the secret is a binary blob encoded in base64 or sometimes base32. So, yes, it would be possible. Keep in mind to set the default parameters of google-authenticator also in the slapo-otp configs (SHA1, 30s timewindow, etc)
Which db overlay are you going to use? There are two in the openldap-distribution; one in the maintained branch (slapo-otp) and the other one in the contrib/ branch (pw-totp.so)
I am using slapo-otp. In the meanwhile, I managed to make it work with newly generated OTP secrets, but converting secrets from ${HOME}/.google_authenticator failed, I am wondering why, because I used base32 binary from goole-authenticator project to decode the value from .google_authenticator and then base64 to encode again, like this:
-/base32 -D <base32-coded> | base64
No errors were shown while doing this, but after changing OpenLDAP TOTP secret to the result of above command, login was not possible.
Regards Christoph
On 06Feb25 12:41+0100, Christoph Pleger wrote:
To my knowledge, the secret is a binary blob encoded in base64 or sometimes base32. So, yes, it would be possible. Keep in mind to set the default parameters of google-authenticator also in the slapo-otp configs (SHA1, 30s timewindow, etc)
Which db overlay are you going to use? There are two in the openldap-distribution; one in the maintained branch (slapo-otp) and the other one in the contrib/ branch (pw-totp.so)
I am using slapo-otp. In the meanwhile, I managed to make it work with newly generated OTP secrets, but converting secrets from ${HOME}/.google_authenticator failed, I am wondering why, because I used base32 binary from goole-authenticator project to decode the value from .google_authenticator and then base64 to encode again, like this:
-/base32 -D <base32-coded> | base64
Depending on your script, trailing newlines might have snuck in.
No errors were shown while doing this, but after changing OpenLDAP TOTP secret to the result of above command, login was not possible.
My knowledge about slapo-otp is a bit outdated. I remember multiple steps which need to be done and multiple entries need to be created.
The ldap entries you want to bind to with userpassword + 2fa-TOTP need to implement the objectclass oathTOTPUser with attributes oathTOTPToken. The value of the attribute oathTOTPToken points to a DN which implements objectclass oathTOTPToken with attributes oathSecret, oathSecretTime, etc. Also oathTOTPParams need to be implemented there. ... Here, oathsecret would be set to the content of your secret, but as I see in the man: `The shared secret is stored here as raw bytes.` Meaning, not base64. If you add that with ldif oathSecret:: $BASE64_BLOB should work.
Unfortunately, I do not recall if this is all, my testbed is not available any more. I extracted the info to get a running testbed from `slapo-otp(5)` and the sources in file `2.6.3/servers/slapd/overlays/otp.c`. The latter gave me a decent understanding about the OATH-LDAP schema.
When all is set up, the bind call then could look like: ldapwhoami -x -H ... -D uid=user,... -w "${PASSWORD}${TOTPTOKEN}"
${PASSWORD} would be the user password which authenticates against the `userpassword` attribute as usual, immediately followed (no delimiter) by a TOTP verification token of six characters (see oathOTPLength). e.g. "mysecretpassword123456"
I hope this helps a bit,
Best,
On Thu, Feb 06, 2025 at 12:41:48PM +0100, Christoph Pleger wrote:
I am using slapo-otp. In the meanwhile, I managed to make it work with newly generated OTP secrets, but converting secrets from ${HOME}/.google_authenticator failed, I am wondering why, because I used base32 binary from goole-authenticator project to decode the value from .google_authenticator and then base64 to encode again, like this:
-/base32 -D <base32-coded> | base64
No errors were shown while doing this, but after changing OpenLDAP TOTP secret to the result of above command, login was not possible.
Hi Christoph, I assume that's because you wrote the base64 value to the entry, what you want to store in the database is the raw secret (output of base32 -d). But if you want to use ldapmodify, you need to use LDIF and that's where you use base64 and "::" to indicate the data you provided is base64 encoded, that's what's described in the guide.
Regards,
Hello,
I assume that's because you wrote the base64 value to the entry, what you want to store in the database is the raw secret (output of base32 -d). But if you want to use ldapmodify, you need to use LDIF and that's where you use base64 and "::" to indicate the data you provided is base64 encoded, that's what's described in the guide.
Thank you, it's working now. Probably, the missing second ':' was the problem - I had it in my ldif in the beginning, but at some point removed it because I thought it was a typo ...
Regards Christoph
Hi!
You should really find out the difference of BASE64 in LDIF that follows single or a double colon 😉 Trying is probably a bad idea.
Kind regards, Ulrich Windl
-----Original Message----- From: Christoph Pleger Christoph.Pleger@cs.tu-dortmund.de Sent: Tuesday, February 11, 2025 11:31 AM To: Ondřej Kuzník ondra@mistotebe.net Cc: Bastian Tweddell b.tweddell@fz-juelich.de; openldap- technical@openldap.org Subject: [EXT] Re: TOTP and OpenLDAP
Hello,
I assume that's because you wrote the base64 value to the entry, what you want to store in the database is the raw secret (output of base32 -d). But if you want to use ldapmodify, you need to use LDIF and that's where you use base64 and "::" to indicate the data you provided is base64 encoded, that's what's described in the guide.
Thank you, it's working now. Probably, the missing second ':' was the problem - I had it in my ldif in the beginning, but at some point removed it because I thought it was a typo ...
Regards Christoph
openldap-technical@openldap.org
-
Bastian Tweddell -
Christoph Pleger -
Clément OUDOT -
Killian Greig -
killian.greig@gmail.com
-
ogg@sr375.com -
Ondřej Kuzník -
Windl, Ulrich