Le mercredi 4 décembre 2019, 13:28:36 CET Quanah Gibson-Mount a écrit :
Although perhaps this isn't exactly what was being asked for. I.e., the module provides the ability to enable TOTP use with OpenLDAP, whereas perhaps you're looking for a way to store data in LDAP as a backend for a TOTP system?
Yes this is more what I was looking for. How does the module handle the storing, there is no specific schema for this?
On Tue, Dec 10, 2019 at 09:25:17AM +0100, C?me Chilliet wrote:
Le mercredi 4 d?cembre 2019, 13:28:36 CET Quanah Gibson-Mount a ?crit :
Although perhaps this isn't exactly what was being asked for. I.e., the module provides the ability to enable TOTP use with OpenLDAP, whereas perhaps you're looking for a way to store data in LDAP as a backend for a TOTP system?
Yes this is more what I was looking for. How does the module handle the storing, there is no specific schema for this?
If you're looking to use OpenLDAP as a full-fledged, fully configurable OTP backend (e.g. the ability to dynamically switch between TOTP and HOTP, configure the code length and time interval, etc), you're probably wanting something like this:
https://symas.com/two-factor-authentication-everywhere/
Though note that that would appear to require a subscription to OpenLDAP Gold. Or use a different tool like privacyIDEA or something similar, though that pulls the functionality out of the directory.
If all you want is to use TOTP to authenticate your users at the directory level (either standalone or combined with a static password as multi-factor), then the module Dave initially mentioned is suitable. I have been using it as such in production for several months. Actually my implementation is somewhat of a hybrid approach, I use privacyIDEA to handle the enrollment and key management process so users have a nice web/GUI interface, but store the keys in OpenLDAP and handle the actual authentication there so no extrenal API calls are needed.
--On Tuesday, December 10, 2019 9:25 AM +0100 Côme Chilliet come.chilliet@fusiondirectory.org wrote:
Le mercredi 4 décembre 2019, 13:28:36 CET Quanah Gibson-Mount a écrit :
Although perhaps this isn't exactly what was being asked for. I.e., the module provides the ability to enable TOTP use with OpenLDAP, whereas perhaps you're looking for a way to store data in LDAP as a backend for a TOTP system?
Yes this is more what I was looking for.
Michael Stroeder controls the schema, from what I understand. He might be able to provide a link to the current version.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On 12/11/19 12:31 AM, Quanah Gibson-Mount wrote:
--On Tuesday, December 10, 2019 9:25 AM +0100 Côme Chilliet come.chilliet@fusiondirectory.org wrote:
Le mercredi 4 décembre 2019, 13:28:36 CET Quanah Gibson-Mount a écrit :
Although perhaps this isn't exactly what was being asked for. I.e., the module provides the ability to enable TOTP use with OpenLDAP, whereas perhaps you're looking for a way to store data in LDAP as a backend for a TOTP system?
Yes this is more what I was looking for.
Michael Stroeder controls the schema, from what I understand. He might be able to provide a link to the current version.
Well, in general OATH-LDAP was meant to be used stand-alone with any OpenLDAP server. But up to now I did not have the time to brush things up into a easy-to-use stand-alone package.
So currently you will find things in Æ-DIR's repo because OATH-LDAP is an integral part of it.
Schema:
https://gitlab.com/ae-dir/ansible-ae-dir-server/blob/master/files/schema/oat...
The HOTP validator (external slapd-sock listener) and a simple web app for the enrollment:
https://gitlab.com/ae-dir/ansible-ae-dir-server/tree/master/files/oath-ldap
A pip-installable command-line tool:
https://gitlab.com/oath-ldap/oath-ldap-tool
https://pypi.org/project/oathldap-tool/
Docs mostly contain diagrams, not much text yet:
https://oath-ldap.stroeder.com/docs.html
Note that unlike all other implementations my implementation stores oathSecret values asymmetrically encrypted and only the OTP validator has access to the private key(s) to decrypt the shared secrets (and all the services are confined/sand-boxed with AppArmor).
This strict separation cannot be done with everything implemented in an overlay.
However I'd love to see an overlay implementation which passes all data needed for the crypto operations to an external process over an Unix domain socket. So LDAPI access of hotp_validator.py could be avoided while keeping a strict process separation to protect the master keys.
Ciao, Michael.
openldap-technical@openldap.org
-
Côme Chilliet -
Greg Veldman -
Michael Ströder -
Quanah Gibson-Mount