Re: OTP or 2FA for Manager Account?

[Michael Ströder]

Howard Chu wrote:

Am 15.05.2018 um 19:06 schrieb Michael Ströder:

Douglas Duckworth wrote:

Does OpenLDAP support use of one time passwords or 2FA for the Manager
account?


There are several solutions:

1. contrib/slapd-modules/passwd/totp/
A proof of concept overlay which AFAICS replaces checking a normal 
password by checking a generated TOTP value. So not really 2FA.


But certainly OTP, which is part of the original question. Unfortunately 
Google Authenticator only uses 6 digits. With a longer input, OTP is 
sufficiently strong for most authentication purposes all by itself, no 
need for a 2nd factor. (See S/Key, OPIE)


I strongly disagree: If the shared secret (or token) gets lost / stolen 
there's no more authentication. I'd never use OTP alone.


Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature

Re: OTP or 2FA for Manager Account?

[Howard Chu]

Am 15.05.2018 um 19:06 schrieb Michael Ströder:

Douglas Duckworth wrote:

Does OpenLDAP support use of one time passwords or 2FA for the Manager
account?


There are several solutions:

1. contrib/slapd-modules/passwd/totp/
A proof of concept overlay which AFAICS replaces checking a normal password 
by checking a generated TOTP value. So not really 2FA.


But certainly OTP, which is part of the original question. Unfortunately 
Google Authenticator only uses 6 digits. With a longer input, OTP is 
sufficiently strong for most authentication purposes all by itself, no need 
for a 2nd factor. (See S/Key, OPIE)



2. OATH HOTP LDAP Plugin by cargosoft.ru
Sorry, I only found a Russian site: http://cargosoft.ru/ru/rm/113/115
I never checked this myself anyway and therefore can't comment.

3. OATH-LDAP
Most flexible solution but hard to setup, especially since not fully 
documented yet. It's currently directly integrated into Æ-DIR but could be 
used stand-alone. Being the author I'm biased of course.


Ciao, Michael.






--
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Re: OTP or 2FA for Manager Account?

[Dave Macias]

Sorry, looks like i got a bit confused

So, 2FA not just plain OTP.
So password+OTP is what im looking for.


On Thu, May 17, 2018 at 10:52 AM Dave Macias  wrote:

> Thank you for the reply Michael,
>
> This one in:
> 3. OATH-LDAP
>
> But in general just want to test a way to add OTP to openldap, which ever
> works
>
> -dave
>
> On Wed, May 16, 2018 at 9:25 AM Michael Ströder 
> wrote:
>
>> Dave Macias wrote:
>> > I too have been wondering about TOTP with openldap but always found it
>> > hard to find documentation on it. Any chance to have this documented?
>> > Dont see it in the site
>>
>> Which of the three solutions / sites do you mean?
>>
>> Ciao, Michael.
>>
>> > On Wed, May 16, 2018 at 7:23 AM Peter > > > wrote:
>> >
>> > Hi Michael,
>> >
>> > Thanks for this summary, to which I can only add the english page of
>> > the
>> > Russian activity:
>> >
>> > http://cargosoft.ru/en/rm/118/119
>> >
>> > Cheers,
>> >
>> > Peter
>> >
>> >
>> >
>> > Am 15.05.2018 um 19:06 schrieb Michael Ströder:
>> > > Douglas Duckworth wrote:
>> > >> Does OpenLDAP support use of one time passwords or 2FA for the
>> > Manager
>> > >> account?
>> > >
>> > > There are several solutions:
>> > >
>> > > 1. contrib/slapd-modules/passwd/totp/
>> > > A proof of concept overlay which AFAICS replaces checking a normal
>> > > password by checking a generated TOTP value. So not really 2FA.
>> > >
>> > > 2. OATH HOTP LDAP Plugin by cargosoft.ru 
>> > > Sorry, I only found a Russian site:
>> http://cargosoft.ru/ru/rm/113/115
>> > > I never checked this myself anyway and therefore can't comment.
>> > >
>> > > 3. OATH-LDAP
>> > > Most flexible solution but hard to setup, especially since not
>> fully
>> > > documented yet. It's currently directly integrated into Æ-DIR but
>> > > could be used stand-alone. Being the author I'm biased of course.
>> > >
>> > > Ciao, Michael.
>>
>

Re: OTP or 2FA for Manager Account?

[Dave Macias]

Thank you for the reply Michael,

This one in:
3. OATH-LDAP

But in general just want to test a way to add OTP to openldap, which ever
works

-dave

On Wed, May 16, 2018 at 9:25 AM Michael Ströder 
wrote:

> Dave Macias wrote:
> > I too have been wondering about TOTP with openldap but always found it
> > hard to find documentation on it. Any chance to have this documented?
> > Dont see it in the site
>
> Which of the three solutions / sites do you mean?
>
> Ciao, Michael.
>
> > On Wed, May 16, 2018 at 7:23 AM Peter  > > wrote:
> >
> > Hi Michael,
> >
> > Thanks for this summary, to which I can only add the english page of
> > the
> > Russian activity:
> >
> > http://cargosoft.ru/en/rm/118/119
> >
> > Cheers,
> >
> > Peter
> >
> >
> >
> > Am 15.05.2018 um 19:06 schrieb Michael Ströder:
> > > Douglas Duckworth wrote:
> > >> Does OpenLDAP support use of one time passwords or 2FA for the
> > Manager
> > >> account?
> > >
> > > There are several solutions:
> > >
> > > 1. contrib/slapd-modules/passwd/totp/
> > > A proof of concept overlay which AFAICS replaces checking a normal
> > > password by checking a generated TOTP value. So not really 2FA.
> > >
> > > 2. OATH HOTP LDAP Plugin by cargosoft.ru 
> > > Sorry, I only found a Russian site:
> http://cargosoft.ru/ru/rm/113/115
> > > I never checked this myself anyway and therefore can't comment.
> > >
> > > 3. OATH-LDAP
> > > Most flexible solution but hard to setup, especially since not
> fully
> > > documented yet. It's currently directly integrated into Æ-DIR but
> > > could be used stand-alone. Being the author I'm biased of course.
> > >
> > > Ciao, Michael.
>

Re: OTP or 2FA for Manager Account?

[Dieter Klünter]

Am Wed, 16 May 2018 08:24:06 -0400
schrieb Dave Macias :

> I too have been wondering about TOTP with openldap but always found
> it hard to find documentation on it. Any chance to have this
> documented? Dont see it in the site
[...]

I have written an article an TOTP
https://blog.sys4.de/totp-time-based-one-time-password-authentication-en.html

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: OTP or 2FA for Manager Account?

[Michael Ströder]

Dave Macias wrote:
> I too have been wondering about TOTP with openldap but always found it
> hard to find documentation on it. Any chance to have this documented?
> Dont see it in the site

Which of the three solutions / sites do you mean?

Ciao, Michael.

> On Wed, May 16, 2018 at 7:23 AM Peter  > wrote:
> 
> Hi Michael,
> 
> Thanks for this summary, to which I can only add the english page of
> the
> Russian activity:
> 
> http://cargosoft.ru/en/rm/118/119
> 
> Cheers,
> 
> Peter
> 
> 
> 
> Am 15.05.2018 um 19:06 schrieb Michael Ströder:
> > Douglas Duckworth wrote:
> >> Does OpenLDAP support use of one time passwords or 2FA for the
> Manager
> >> account?
> >
> > There are several solutions:
> >
> > 1. contrib/slapd-modules/passwd/totp/
> > A proof of concept overlay which AFAICS replaces checking a normal
> > password by checking a generated TOTP value. So not really 2FA.
> >
> > 2. OATH HOTP LDAP Plugin by cargosoft.ru 
> > Sorry, I only found a Russian site: http://cargosoft.ru/ru/rm/113/115
> > I never checked this myself anyway and therefore can't comment.
> >
> > 3. OATH-LDAP
> > Most flexible solution but hard to setup, especially since not fully
> > documented yet. It's currently directly integrated into Æ-DIR but
> > could be used stand-alone. Being the author I'm biased of course.
> >
> > Ciao, Michael.

Re: OTP or 2FA for Manager Account?

[Dave Macias]

I too have been wondering about TOTP with openldap but always found it hard
to find documentation on it. Any chance to have this documented? Dont see
it in the site

Regards,
dave

On Wed, May 16, 2018 at 7:23 AM Peter  wrote:

> Hi Michael,
>
> Thanks for this summary, to which I can only add the english page of the
> Russian activity:
>
> http://cargosoft.ru/en/rm/118/119
>
> Cheers,
>
> Peter
>
>
>
> Am 15.05.2018 um 19:06 schrieb Michael Ströder:
> > Douglas Duckworth wrote:
> >> Does OpenLDAP support use of one time passwords or 2FA for the Manager
> >> account?
> >
> > There are several solutions:
> >
> > 1. contrib/slapd-modules/passwd/totp/
> > A proof of concept overlay which AFAICS replaces checking a normal
> > password by checking a generated TOTP value. So not really 2FA.
> >
> > 2. OATH HOTP LDAP Plugin by cargosoft.ru
> > Sorry, I only found a Russian site: http://cargosoft.ru/ru/rm/113/115
> > I never checked this myself anyway and therefore can't comment.
> >
> > 3. OATH-LDAP
> > Most flexible solution but hard to setup, especially since not fully
> > documented yet. It's currently directly integrated into Æ-DIR but
> > could be used stand-alone. Being the author I'm biased of course.
> >
> > Ciao, Michael.
> >
>
> --
> ___
>
> Peter Gietz (CEO)
> DAASI International GmbH   phone: +49 7071 407109-0
> Europaplatz 3  Fax:   +49 7071 407109-9
> D-72072 Tübingen   mail:  peter.gi...@daasi.de
> GermanyWeb:   www.daasi.de
>
> DAASI International GmbH, Tübingen
> Geschäftsführer Peter Gietz, Amtsgericht Stuttgart HRB 382175
>
> Directory Applications for Advanced Security and Information Management
> ___
>
>
>

Re: OTP or 2FA for Manager Account?

[Peter]

Hi Michael,

Thanks for this summary, to which I can only add the english page of the 
Russian activity:


http://cargosoft.ru/en/rm/118/119

Cheers,

Peter



Am 15.05.2018 um 19:06 schrieb Michael Ströder:

Douglas Duckworth wrote:

Does OpenLDAP support use of one time passwords or 2FA for the Manager
account?


There are several solutions:

1. contrib/slapd-modules/passwd/totp/
A proof of concept overlay which AFAICS replaces checking a normal 
password by checking a generated TOTP value. So not really 2FA.


2. OATH HOTP LDAP Plugin by cargosoft.ru
Sorry, I only found a Russian site: http://cargosoft.ru/ru/rm/113/115
I never checked this myself anyway and therefore can't comment.

3. OATH-LDAP
Most flexible solution but hard to setup, especially since not fully 
documented yet. It's currently directly integrated into Æ-DIR but 
could be used stand-alone. Being the author I'm biased of course.


Ciao, Michael.



--
___

Peter Gietz (CEO)
DAASI International GmbH   phone: +49 7071 407109-0
Europaplatz 3  Fax:   +49 7071 407109-9
D-72072 Tübingen   mail:  peter.gi...@daasi.de
GermanyWeb:   www.daasi.de

DAASI International GmbH, Tübingen
Geschäftsführer Peter Gietz, Amtsgericht Stuttgart HRB 382175

Directory Applications for Advanced Security and Information Management
___

Re: OTP or 2FA for Manager Account?

[Michael Ströder]

Ondřej Kuzník wrote:
> On Tue, May 15, 2018 at 07:06:41PM +0200, Michael Ströder wrote:
>> Douglas Duckworth wrote:
>>> Does OpenLDAP support use of one time passwords or 2FA for the Manager
>>> account?
>>
>> There are several solutions:
>>
>> 1. contrib/slapd-modules/passwd/totp/
>> A proof of concept overlay which AFAICS replaces checking a normal password
>> by checking a generated TOTP value. So not really 2FA.
> 
> We have been looking into how to best make it an actual 2FA solution,
> though.

Did you consider to use OATH-LDAP's schema?
That's the most flexible way of doing it which is appreciated.

Furthermore I'm very paranoid regarding security of shared secrets. In
current OATH-LDAP they are asymmetrically encrypted with only an
*external* component having access to the private key(s).

It would be nice to join forces developing something which is more
integrated with OpenLDAP though.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature

Re: OTP or 2FA for Manager Account?

[Ondřej Kuzník]

On Tue, May 15, 2018 at 07:06:41PM +0200, Michael Ströder wrote:
> Douglas Duckworth wrote:
>> Does OpenLDAP support use of one time passwords or 2FA for the Manager
>> account?
> 
> There are several solutions:
> 
> 1. contrib/slapd-modules/passwd/totp/
> A proof of concept overlay which AFAICS replaces checking a normal password
> by checking a generated TOTP value. So not really 2FA.

We have been looking into how to best make it an actual 2FA solution,
though.

> 2. OATH HOTP LDAP Plugin by cargosoft.ru
> Sorry, I only found a Russian site: http://cargosoft.ru/ru/rm/113/115
> I never checked this myself anyway and therefore can't comment.
> 
> 3. OATH-LDAP
> Most flexible solution but hard to setup, especially since not fully
> documented yet. It's currently directly integrated into Æ-DIR but could be
> used stand-alone. Being the author I'm biased of course.

-- 
Ondřej Kuzník
Senior Software Engineer
Symas Corporation   http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP

Re: OTP or 2FA for Manager Account?

[Michael Ströder]

Douglas Duckworth wrote:

Does OpenLDAP support use of one time passwords or 2FA for the Manager
account?


There are several solutions:

1. contrib/slapd-modules/passwd/totp/
A proof of concept overlay which AFAICS replaces checking a normal 
password by checking a generated TOTP value. So not really 2FA.


2. OATH HOTP LDAP Plugin by cargosoft.ru
Sorry, I only found a Russian site: http://cargosoft.ru/ru/rm/113/115
I never checked this myself anyway and therefore can't comment.

3. OATH-LDAP
Most flexible solution but hard to setup, especially since not fully 
documented yet. It's currently directly integrated into Æ-DIR but could 
be used stand-alone. Being the author I'm biased of course.


Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature