|
NAMEslapo-otp - OATH One-Time Password moduleSYNOPSISmoduleload otp.laDESCRIPTIONThe otp module allows time-based one-time password, AKA "authenticator-style", and HMAC-based one-time password authentication to be used in conjunction with a standard LDAP password for two-factor authentication.With this module, users would use their password, followed with the one-time password in the password prompt to authenticate. The password needed for a user to authenticate is calculated based on a counter (current time in case of TOTP) and a key that is referenced in the user's LDAP entry. Since the password is based on the time or number of uses, it changes periodically. Once used, it cannot be used again so keyloggers and shoulder-surfers are thwarted. A mobile phone application, such as the Google Authenticator or YubiKey (a prover), can be used to calculate the user's current one-time password, which is expressed as a (usually six-digit) number. Alternatively, the value can be calculated by some other application with access to the user's key and delivered to the user through SMS or some other channel. When prompted to authenticate, the user merely appends the code provided by the prover at the end of their password when authenticating. This implementation complies with RFC 4226 HOTP HMAC-Based One Time Passwords and RFC 6238 TOTP Time-based One Time Passwords and includes support for the SHA-1, SHA-256, and SHA-512 HMAC algorithms. The HMAC key used in the OTP computation is stored in the oathOTPToken entry referenced in the user's LDAP entry and the parameters are stored in the oathOTPParams LDAP entry referenced in the token. CONFIGURATIONOnce the module is configured on the database, it will intercept LDAP simple binds for users whose LDAP entry has any of the oathOTPUser derived objectlasses attached to it. The attributes linking the user and the shared secret are:
The following parts of the OATH-LDAP schema are implemented. General attributes:
The HOTP attributes:
The TOTP attributes:
SEE ALSOslapd-config(5).ACKNOWLEDGEMENTThis work was developed by Ondřej Kuzník and Howard Chu of Symas Corporation for inclusion in OpenLDAP Software.This work reuses the OATH-LDAP schema developed by Michael Ströder.
Visit the GSP FreeBSD Man Page Interface. |