[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OATH TOTP LDAP schema?
- To: openldap-technical@openldap.org
- Subject: Re: OATH TOTP LDAP schema?
- From: Michael Ströder <michael@stroeder.com>
- Date: Wed, 11 Dec 2019 11:49:17 +0100
- Autocrypt: addr=michael@stroeder.com; prefer-encrypt=mutual; keydata= mQENBFbdnRoBCADj0vYA4aRwKJ6AE4mf8oElLgMT/1eLNKpJ2FYBWcwj9d8dTk5/p9b8DRxy S/qQIUUZqt9xRFZwUCm0vFeQMRDeN9xzAKoRzrJifoDOacOjG1lhZTKYvVZGgUT89Ao3QeHh Q7gPzcAKNoueoR2y3FXStOYuRrbk5PlSjVAITjsotgc7PWE9mmVYpeu8a+byK/DBHKUyolOA 1UXYvDa7MbPhMtdNm8qnwtKs1Vsyk1VkErM+5cIe+zTT6WYQcmZMRjCtWGiFTzk9W6Mdlskk WRTKhKNgokTsgcy1ecaCBUZWxv/SyXgD81+rwRi9b8Px+1reg43ayxi8sV7jrI1feybbABEB AAG0J01pY2hhZWwgU3Ryw7ZkZXIgPG1pY2hhZWxAc3Ryb2VkZXIuY29tPokBNwQTAQgAIQUC Vt2dGgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRAH3HrjaovJOFpTCACjO773gcmJ KvzjiNpUFl/gANyaJgIq4VbMQ7VthRb1F9X6YbdJ6Z99ntyESjGFCpjofcSomr2vJDpv6ht+ lY33yo20YwsMpqe2OeId0jPybG+FtabKjgBNoAk7iqnBGUvE4t0dz0n1LQVCQR2jxyTKmcNq OYpsRZ3H+6kWwJMuVgsNZglINVZ8JgV5QuLYN5jhYz+pOuFnU11bV6nWREvzZXzebe7g7Zus 6AsWjtJ0lDvgBNzLlF3/eFrVch6Bejs0SvuFseIdZQk+4YU6Rb8xul/jDFXIfo7eTmijO3dV T5AmC1cUi8czncwpgAJnEH8vYv23RoN/aw2gSMCS2huIuQENBFbdnRoBCAC7L1cTVBVZZuM/ yxSUM5CsgGBlTD1Cr7C2ngZFsHSYXVLq6NUB8GZA2iLK96CrwnFw4/Jjz4llOjc50iVRMQKL RyFWOJAMrpPq2ew5T+Uoo524D//dwVbqkFVVuvM8NPiKIDyPGCjP+acM1D8hXwhOXgQ8Iz8Q 3/GRSYjitn9JrkF0ia2nhariznBKVu0LDffxF/hOCx45+QRR2/rYYlshfZMB7nEJX9P+hVfM CSzltz9Z8CldeUbiJvnyrISReR2XBw9oh8JkIUP0BtpIaify9A7EfzOk+W9BUnWe+YwdSUsB fJxOhSv+umyW5GMqZGFu+4oYnkzbe+1LUs1JarCtABEBAAGJAR8EGAEIAAkFAlbdnRoCGwwA CgkQB9x642qLyTjEUgf+JX6Atatl/QKe37yCj1OZYNPd3B0rPLJRF5mEmrADRXLZC9+uFeDS Wxxln040gnR6rjBHrRcvVmlTDiZY26iuL16+V+0/aZ9uyXNQSzk2cwDSiI/8gvr72Y+FN5fh cGXpeNHxHilYc9onzDhxyE76cwzqTKm4q2ULIH2u9IHQ5O86Fv6nHPYhe2fy1bhQapNwi/Xl 3G3i2WNH/w7m+1zWU1IddZOjmXzoxLT1BATwXGa0Tt5RjVb2mM1Wg3Zj6kqFkF2vvKcvrwj0 q0Ap5uyfN5m0uWzQMCMoaV9HQf7f5MkS1lnwBqDgnojjVAieX5uk7olUiRuPKHMfhvXulYP8 AA==
- In-reply-to: <F3AE7AFA077936321631CF5A@[192.168.1.144]>
- References: <6304246.PJgptScnOl@mcmic-probook> <CA+nFYV_=aVL-h8P61e-wHQWqKouGpe5jVeg7jdVTqExv-4sfHw@mail.gmail.com> <4BD7D431F36BE54130FC2823@192.168.1.144> <3608731.QuURGX88qn@mcmic-probook> <F3AE7AFA077936321631CF5A@[192.168.1.144]>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2
On 12/11/19 12:31 AM, Quanah Gibson-Mount wrote:
> --On Tuesday, December 10, 2019 9:25 AM +0100 Côme Chilliet
> <come.chilliet@fusiondirectory.org> wrote:
>
>> Le mercredi 4 décembre 2019, 13:28:36 CET Quanah Gibson-Mount a écrit :
>>> Although perhaps this isn't exactly what was being asked for. I.e., the
>>> module provides the ability to enable TOTP use with OpenLDAP, whereas
>>> perhaps you're looking for a way to store data in LDAP as a backend for
>>> a TOTP system?
>>
>> Yes this is more what I was looking for.
>
> Michael Stroeder controls the schema, from what I understand. He might
> be able to provide a link to the current version.
Well, in general OATH-LDAP was meant to be used stand-alone with any
OpenLDAP server. But up to now I did not have the time to brush things
up into a easy-to-use stand-alone package.
So currently you will find things in Æ-DIR's repo because OATH-LDAP is
an integral part of it.
Schema:
https://gitlab.com/ae-dir/ansible-ae-dir-server/blob/master/files/schema/oath-ldap.schema
The HOTP validator (external slapd-sock listener) and a simple web app
for the enrollment:
https://gitlab.com/ae-dir/ansible-ae-dir-server/tree/master/files/oath-ldap
A pip-installable command-line tool:
https://gitlab.com/oath-ldap/oath-ldap-tool
https://pypi.org/project/oathldap-tool/
Docs mostly contain diagrams, not much text yet:
https://oath-ldap.stroeder.com/docs.html
Note that unlike all other implementations my implementation stores
oathSecret values asymmetrically encrypted and only the OTP validator
has access to the private key(s) to decrypt the shared secrets (and all
the services are confined/sand-boxed with AppArmor).
This strict separation cannot be done with everything implemented in an
overlay.
However I'd love to see an overlay implementation which passes all data
needed for the crypto operations to an external process over an Unix
domain socket. So LDAPI access of hotp_validator.py could be avoided
while keeping a strict process separation to protect the master keys.
Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature