Presentation at LDAPcon 2015 by Axel Hoffmann:
2-factor Authentication with OpenLDAP, OATH-HOTP and Yubikey
- German readers can read article "Sicherheitsgewächs" in german computer magazine iX 2/2017.
- This is OpenLDAP's LDAP server implementation
- slapd backend also useable as overlay which sends some LDAP requests to an external demon via Unix domain socket (see also slapd-sock(5))
- OTP validator
- bind proxy
- web browser
- enrollment web app
- enrollment client
- A hardened device where you plug in the OATH hardware token (e.g. Yubikey) to be initialized. Especially users shall not enter their normal password at this device.
- LDAP client
- A person is not an user account!
- When an OTP token is physically handed out to a person the owner attribute (or similar) in the oathToken entry shall be set to associate the device with its owner.
- Each account may be associated with an oathToken to force two-factor authentication for this particular user account.
- The shared secret (seed) and the user's password shall not be present in clear at the same time on any system (except in the small external OTP validator demon).
- The OTP admin shall not be able to initialize a token for a user.
- The user shall not be able to initialize a token without the help of a OTP admin.