Yubico Forum

Re: LDAP two-factor authentication

2014-06-17T15:49:54+01:00

I understand that this is an old thread but if anyone could provide me with a few pointers on getting this running, I would be very grateful.

I'm running OpenLDAP on Ubuntu.

Statistics: Posted by lem — Tue Jun 17, 2014 3:49 pm

Re: LDAP two-factor authentication

2012-04-03T18:48:06+01:00

Here it is: https://github.com/meddius/yubisaslauthd

It's pretty short and simple code; I recommend reading it to make sure it does what you expect.

Statistics: Posted by bjencks — Tue Apr 03, 2012 6:48 pm

Re: LDAP two-factor authentication

2012-03-30T20:58:15+01:00

bjencks wrote:

I ended up solving the problem by writing my own replacement for saslauthd that does exactly what I need:

OTP+pass bind to LDAP server
call to custom saslauthd
saslauthd splits OTP and password
validates OTP directly
queries LDAP (without binding as the user) for yubikey ID and hashed password
validates yubikey and password

I'm hoping to publish it as open-source, but I need to get an OK from my company first. I'll post a link here if/when it's available.

Assuming you can't get permission, any hints/tips on modifying saslauthd, looking to do a similar thing here.

Statistics: Posted by freedenizen — Fri Mar 30, 2012 8:58 pm

Re: LDAP two-factor authentication

2012-03-06T20:15:32+01:00

Not quite; that would generate a loop:

OTP+pass bind to LDAP server
call to saslauthd
OTP+pass handed to pam_yubico
pass only handed to pam_ldap
pass only bind to LDAP server
call to saslauthd
pass only handed to pam_yubico
failure

I ended up solving the problem by writing my own replacement for saslauthd that does exactly what I need:

OTP+pass bind to LDAP server
call to custom saslauthd
saslauthd splits OTP and password
validates OTP directly
queries LDAP (without binding as the user) for yubikey ID and hashed password
validates yubikey and password

I'm hoping to publish it as open-source, but I need to get an OK from my company first. I'll post a link here if/when it's available.

Statistics: Posted by bjencks — Tue Mar 06, 2012 8:15 pm

Re: LDAP two-factor authentication

2012-03-06T11:25:44+01:00

I might misunderstand what you mean, but wouldn't this work?

1) use pam_yubico to validate OTP, and look in LDAP for an attribute (available using anonymous bind) containing the public_id to username mapping
2) if step 1 was successful, the pam_yubico module would have stripped the OTP from the authtoken and pam_ldap can be used to do an authenticated bind to the LDAP server to verify the password

/Fredrik

Statistics: Posted by Guest — Tue Mar 06, 2012 11:25 am

LDAP two-factor authentication

2012-01-11T23:54:27+01:00

My goal is to have an LDAP server that I can bind to using a two-factor password (regular and OTP concatenated), and to have the password and yubikey ID stored in that LDAP server. Also, some users should have regular passwords only.

So far I've managed single-factor authentication like so:

Simple bind to OpenLDAP
OpenLDAP looks in the userPassword attribute. If it's a regular password ({CRYPT} or {SSHA}), authentication stops here. For Yubikey, it contains "{SASL}username".
username and password are passed to saslauthd, which invokes PAM
PAM calls pam_yubico, which checks the OTP against the validation server
pam_yubico connects back to the LDAP server, retrieves the yubikeyID attribute for the user, and checks that it matches the validated OTP.

The only way I can think of to real two-factor auth is to set up a proxy LDAP server in front of the main one, where the main one contains a real password in userPassword, and the proxy replaces userPassword with {SASL}username if there's a yubikeyId attribute. PAM would then call pam_ldap to bind to the backend server using the real password, after pam_yubico has stripped the OTP off the end of the password string.

This seems like it's getting way too complicated, plus it would be a headache to keep the proxy in sync with the backend. Am I missing some easier way to do this? I'd think this would be a pretty common use case, but I can't find any documentation on this setup.

Statistics: Posted by bjencks — Wed Jan 11, 2012 11:54 pm