Re: about slapo totp

[Bastian Tweddell]

Many thanks to all for your comments. I think I know how this feature 
can integrated into our infrastructure. I'll bring this into a testing 
environment now.


Cheers,

On 17Jan23 21:27+0000, Howard Chu wrote:
> Bastian Tweddell wrote:
> > On 17Jan23 17:33+0000, Howard Chu wrote:
> >> Sounds more like a question for your SSH server, and whether you can 
> >> configure it to use PAM
> >> after a successful pubkey authentication.
> > 
> > Yes, PAM is enabled for sshd.
> > 
> > I do not have the full picture how slap-totp works. For me, there two
> > open questions:
> > 
> > 1. From openldap pov:
> >    How would I make the bind call to slapd, so that only
> >    the TOTP is checked?
> 
> If you're talking about the totp module in the contrib source directory, all 
> you need
> to do is a normal LDAP Simple Bind. LDAP modules for PAM would do this 
> already.
> 
> >    Would the following be sufficient to achieve 2FA only:
> > 
> >    ```ldif:
> >      userPassword: {TOTP512}$BASE64
> >      # assuming the overlay is confgured properly
> >    ```
> 
> Yes.
> 
> >    Would it be possible to use another attribute than `userPassword`?
> 
> Not with the existing code, no.
> > 
> > 2. PAM integration: This is not a question to this group here, but maybe
> >    there are some related ideas.
> >    How or which PAM module can be used?
> 
> nsspam-ldapd / nslcd, whatever the latest supported version is.
> > 
> > 
> > The aim is to avoid copying the TOTP secret of users to the local
> > systems (which are the public accessible hosts).
> > 
> > 
> > Many thanks,
> > Cheers,
> > --
> > Bastian Tweddell            Juelich Supercomputing Centre
> > phone: +49 (2461) 61-6586      HPC in Neuroscience, HPS
> > 
> 
> 
> -- 
>   -- Howard Chu
>   CTO, Symas Corp.           http://www.symas.com
>   Director, Highland Sun     http://highlandsun.com/hyc/
>   Chief Architect, OpenLDAP  http://www.openldap.org/project/

-- 
Bastian Tweddell            Juelich Supercomputing Centre
phone: +49 (2461) 61-6586      HPC in Neuroscience, HPS

-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------

smime.p7s
Description: S/MIME cryptographic signature