Is there a way to obtain the username (CN or UID attribute?) being authenticated when a LUTIL_PASSWD_CHK_FUNC function is called?
I'd like to call a 2FA provider from within a password plugin but not sure how to get the user tied to the sc, passwd, or cred bervals.
Thanks
On 3/27/19 9:53 PM, dee heffem wrote:
Is there a way to obtain the username (CN or UID attribute?) being authenticated when a LUTIL_PASSWD_CHK_FUNC function is called?
I'd like to call a 2FA provider from within a password plugin but not sure how to get the user tied to the sc, passwd, or cred bervals.
You want to implement something like this?
https://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=tree;f=contrib/sl...
Symas recently also added a solution to their commercial offering:
https://symas.com/two-factor-authentication-everywhere/
And I'm doing this via back-sock running configured as overlay:
https://oath-ldap.stroeder.com/
https://gitlab.com/ae-dir/ansible-ae-dir-server/blob/master/files/oath-ldap/...
OATH-LDAP's hotp_validator.py also accepts COMPARE operation to separately check the OTP instead of always sending a simple bind request with password+OTP.
Ciao, Michael.
On 3/29/19 4:26 AM, Michael Ströder wrote: <snip>
You want to implement something like this?
https://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=tree;f=contrib/sl...
Quite similar, but using Cisco Duo. Requires the "user" attribute to be passed to the API function call (eg: duo_auth_preauth(duo, user) ) https://github.com/duosecurity/libduo/blob/master/test-duologin.c
Quickly looking over the link you provided.. Line 442 (find_attr) seems to be what I need. Other than the OpenLDAP source code, is there developer documentation available on these C functions? I've only been able to turn up Admin docs.
Thanks
I've built a password module fashioned after the pw-radius example under contrib/slapd-modules/passwd/. It links against a 3rd party library.
The README mentions compiling the module statically, so I've added -static to the link flags and copied the resulting .lai, .la, and .o files from .libs/ to /usr/lib/ldap (where my previous radius password plugin lived) on my slapd server. The module has been added with an LDIF (olcModuleLoad: pw-duo, olcmodulepath: /usr/lib/ldap)
When I start slapd with -d128, this error comes up. 5ca3b8ee lt_dlopenext failed: (pw-duo) file not found
I'm a little stumped. Doesn't the olcModulePath tell slapd where to find the module?
Thanks
dee heffem wrote:
I've built a password module fashioned after the pw-radius example under contrib/slapd-modules/passwd/. It links against a 3rd party library.
The README mentions compiling the module statically, so I've added -static to the link flags and copied the resulting .lai, .la, and .o files from .libs/ to /usr/lib/ldap (where my previous radius password plugin lived) on my slapd server. The module has been added with an LDIF (olcModuleLoad: pw-duo, olcmodulepath: /usr/lib/ldap)
Only dynamic modules can be dynamically loaded. This should not be a surprising concept, since it's in the very word "dynamic".
When I start slapd with -d128, this error comes up. 5ca3b8ee lt_dlopenext failed: (pw-duo) file not found
I'm a little stumped. Doesn't the olcModulePath tell slapd where to find the module?
Thanks
If I use some of the code from OpenLDAP in this password module, and intend to make my code public (sticking it up on github), how would I best comply with the License?
http://www.OpenLDAP.org/license.html
For instance I've not removed any copyright statements but rather took a few lines from servers/slapd/sasl.c for some SASL auth. Do I just include the first block comment from sasl.c in my source file? Eg:
/* $OpenLDAP$ */ /* This work is part of OpenLDAP Software http://www.openldap.org/. ...
Also, item #3 tells to include the "verbatim" text at that link. Is including this file in my repo sufficient or does it need to be prepended in every source file like some GNU projects?
Thanks
--On Monday, April 08, 2019 1:39 PM -0500 dee heffem dheffem@gmail.com wrote:
If I use some of the code from OpenLDAP in this password module, and intend to make my code public (sticking it up on github), how would I best comply with the License?
It should be done in a similar way as the OpenLDAP project:
a) A LICENSE file in the root of the repository b) A comment at the start of each file of code that states the following:
/* * Redistribution and use in source and binary forms, with or without * modification, are permitted only as authorized by the OpenLDAP * Public License. * * A copy of this license is available in the file LICENSE in the * top-level directory of the distribution or, alternatively, at * http://www.OpenLDAP.org/license.html. */
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On 4/10/19 10:13 AM, Quanah Gibson-Mount wrote:
It should be done in a similar way as the OpenLDAP project:
a) A LICENSE file in the root of the repository b) A comment at the start of each file of code that states the following:
Thanks. I've added it to the repo and source files. https://github.com/DFMCH/pw-duo
Most of what I needed to do I gleaned from the OpenLDAP sources. Not sure about some of it. Some things I wonder about:
* Is ber_memalloc() the preferred way to allocate memory? * call read_duo_keys() only once instead of every auth? * some modules use ldap_pvt_thread_mutex_lock/unlock() and some don't. What determines usage? * Increasing wait time for MFA (deferring operation: binding)?
If anyone can offer feedback it would be appreciated.
openldap-technical@openldap.org
-
dee heffem -
Howard Chu -
Michael Ströder -
Quanah Gibson-Mount