Yubico Forum

My goal is to have an LDAP server that I can bind to using a two-factor password (regular and OTP concatenated), and to have the password and yubikey ID stored in that LDAP server. Also, some users should have regular passwords only.

So far I've managed single-factor authentication like so:

• Simple bind to OpenLDAP
• OpenLDAP looks in the userPassword attribute. If it's a regular password ({CRYPT} or {SSHA}), authentication stops here. For Yubikey, it contains "{SASL}username".
• username and password are passed to saslauthd, which invokes PAM
• PAM calls pam_yubico, which checks the OTP against the validation server
• pam_yubico connects back to the LDAP server, retrieves the yubikeyID attribute for the user, and checks that it matches the validated OTP.

The only way I can think of to real two-factor auth is to set up a proxy LDAP server in front of the main one, where the main one contains a real password in userPassword, and the proxy replaces userPassword with {SASL}username if there's a yubikeyId attribute. PAM would then call pam_ldap to bind to the backend server using the real password, after pam_yubico has stripped the OTP off the end of the password string.

This seems like it's getting way too complicated, plus it would be a headache to keep the proxy in sync with the backend. Am I missing some easier way to do this? I'd think this would be a pretty common use case, but I can't find any documentation on this setup.

I might misunderstand what you mean, but wouldn't this work?

1) use pam_yubico to validate OTP, and look in LDAP for an attribute (available using anonymous bind) containing the public_id to username mapping
2) if step 1 was successful, the pam_yubico module would have stripped the OTP from the authtoken and pam_ldap can be used to do an authenticated bind to the LDAP server to verify the password

/Fredrik

Not quite; that would generate a loop:

1. OTP+pass bind to LDAP server
2. call to saslauthd
3. OTP+pass handed to pam_yubico
4. pass only handed to pam_ldap
5. pass only bind to LDAP server
6. call to saslauthd
7. pass only handed to pam_yubico
8. failure

I ended up solving the problem by writing my own replacement for saslauthd that does exactly what I need:

1. OTP+pass bind to LDAP server
2. call to custom saslauthd
3. saslauthd splits OTP and password
4. validates OTP directly
5. queries LDAP (without binding as the user) for yubikey ID and hashed password
6. validates yubikey and password

I'm hoping to publish it as open-source, but I need to get an OK from my company first. I'll post a link here if/when it's available.

Assuming you can't get permission, any hints/tips on modifying saslauthd, looking to do a similar thing here.

Here it is: https://github.com/meddius/yubisaslauthd

It's pretty short and simple code; I recommend reading it to make sure it does what you expect.

I understand that this is an old thread but if anyone could provide me with a few pointers on getting this running, I would be very grateful.

I'm running OpenLDAP on Ubuntu.