Presentation at LDAPcon 2015 by Axel Hoffmann:
2-factor Authentication with OpenLDAP, OATH-HOTP and Yubikey
- German readers can read article "Sicherheitsgewächs" in german computer magazine iX 2/2017.
- This is OpenLDAP's LDAP server implementation
- slapd backend also useable as overlay which sends some LDAP requests to an external demon via Unix domain socket (see also slapd-sock(5))
- OTP validator
- bind proxy
- web browser
- enrollment web app
- enrollment client
- A hardened device where you plug in the OATH hardware token (e.g. Yubikey) to be initialized. Especially users shall not enter their normal password at this device.
- LDAP client
- A person is not an user account!
- When an OTP token is physically handed out to a person the owner attribute (or similar) in the oathToken entry shall be set to associate the device with its owner.
- Each account may be associated with an oathToken to force two-factor authentication for this particular user account.
- The shared secret (seed) and the user's password shall not be present in clear at the same time on any system (except in the small external OTP validator demon).
- The OTP admin shall not be able to initialize a token for a user.
- The user shall not be able to initialize a token without the help of a OTP admin.
- The user requests a OATH token (reset) by personally asking an OTP admin. Typically both meet in person.
- The OTP admin adds a new OATH token or resets an existing OATH token using the OATH enrollment application.
- The OATH enrollment application generates a random enrollment password for the OATH token. It sends the first part via e-mail to the user and displays the second part to the OTP admin.
- OTP admin hands out the second part of the random enrollment password and a special enrollment hardware (latop, or similar) to the user.
- The user starts the enrollment hardware. An enrollment software is automatically started where the
- The user plugs in the OATH token into the enrollment hardware and enters the first and second part of the enrollment password. When resetting an formerly initialized OATH token the user also enters the token configuration code.
- The enrollment software retrieves the effective OATH token parameters (policy) including the master public key from the LDAP server.
- The enrollment software generates a new random OATH shared secret and stores it into the OATH token.
- The enrollment software encrypts OATH shared secret with the master public key.
- The enrollment software writes the encrypted OATH shared secret into the OATH token entry via LDAP.
- The user plugs off the OATH token from the enrollment hardware.
- The user returns the enrollment hardware to the OTP admin.
- The user starts using the OATH token.