I am using SSSD in LDAP-only mode (no kerberos at all), communicating with FreeIPA. For certain hosts, I want to require sssd to demand OTP.
Right now, they are allowing password OR password+OTP. But my 'ipa show-host' output for the hosts in question have "Authentication Indicators: otp". What do I need to do for sssd to only accept password+OTP ?
Thank you.
On Пан, 12 лют 2024, G H via FreeIPA-users wrote:
I am using SSSD in LDAP-only mode (no kerberos at all), communicating with FreeIPA. For certain hosts, I want to require sssd to demand OTP.
Right now, they are allowing password OR password+OTP. But my 'ipa show-host' output for the hosts in question have "Authentication Indicators: otp". What do I need to do for sssd to only accept password+OTP ?
Authentication indicators are Kerberos-only.
The way to enforce OTP use by the LDAP client during bind is by adding a control OTP_REQUIRED_OID (2.16.840.1.113730.3.8.10.7) during LDAP SASL bind like how ipa-otpd daemon does:
LDAPControl control = { OTP_REQUIRED_OID, {}, true }; LDAPControl *ctrls[] = { &control, NULL };
...
cred.bv_val = data->data; cred.bv_len = data->length; i = ldap_sasl_bind(verto_get_private(ev), item->user.dn, LDAP_SASL_SIMPLE, &cred, ctrls, NULL, &item->msgid);
I don't think it is possible to do so by SSSD as it is.
I have a proposal https://github.com/freeipa/freeipa/pull/7200 that enforces OTP over *all* LDAP binds server-side, by effectively assuming this OID is present always in any client LDAP bind.
My goal is 2FA for OpenVPN clients, I was using pam+sssd to do this - but I discovered that people were able to login without any 2FA at all.
Is there a way to validate only the OTP using a command line tool on a remote server to FreeIPA? My thinking is I could use pam to perform the password check, but I'd still need a way to validate MFA.
On Monday, February 12, 2024 at 10:28:01 AM EST, Alexander Bokovoy abokovoy@redhat.com wrote:
On Пан, 12 лют 2024, G H via FreeIPA-users wrote:
I am using SSSD in LDAP-only mode (no kerberos at all), communicating with FreeIPA. For certain hosts, I want to require sssd to demand OTP.
Right now, they are allowing password OR password+OTP. But my 'ipa show-host' output for the hosts in question have "Authentication Indicators: otp". What do I need to do for sssd to only accept password+OTP ?
Authentication indicators are Kerberos-only.
The way to enforce OTP use by the LDAP client during bind is by adding a control OTP_REQUIRED_OID (2.16.840.1.113730.3.8.10.7) during LDAP SASL bind like how ipa-otpd daemon does:
LDAPControl control = { OTP_REQUIRED_OID, {}, true }; LDAPControl *ctrls[] = { &control, NULL };
...
cred.bv_val = data->data; cred.bv_len = data->length; i = ldap_sasl_bind(verto_get_private(ev), item->user.dn, LDAP_SASL_SIMPLE, &cred, ctrls, NULL, &item->msgid);
I don't think it is possible to do so by SSSD as it is.
I have a proposal https://github.com/freeipa/freeipa/pull/7200 that enforces OTP over *all* LDAP binds server-side, by effectively assuming this OID is present always in any client LDAP bind.
Ok I was able to write a python script using the ldap3 library to handle this: https://ldap3.readthedocs.io/en/latest/connection.html#controls
Thank you Alexander.
On Tuesday, February 13, 2024 at 03:58:39 PM EST, G H via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
My goal is 2FA for OpenVPN clients, I was using pam+sssd to do this - but I discovered that people were able to login without any 2FA at all.
Is there a way to validate only the OTP using a command line tool on a remote server to FreeIPA? My thinking is I could use pam to perform the password check, but I'd still need a way to validate MFA.
On Monday, February 12, 2024 at 10:28:01 AM EST, Alexander Bokovoy abokovoy@redhat.com wrote:
On Пан, 12 лют 2024, G H via FreeIPA-users wrote:
I am using SSSD in LDAP-only mode (no kerberos at all), communicating with FreeIPA. For certain hosts, I want to require sssd to demand OTP.
Right now, they are allowing password OR password+OTP. But my 'ipa show-host' output for the hosts in question have "Authentication Indicators: otp". What do I need to do for sssd to only accept password+OTP ?
Authentication indicators are Kerberos-only.
The way to enforce OTP use by the LDAP client during bind is by adding a control OTP_REQUIRED_OID (2.16.840.1.113730.3.8.10.7) during LDAP SASL bind like how ipa-otpd daemon does:
LDAPControl control = { OTP_REQUIRED_OID, {}, true }; LDAPControl *ctrls[] = { &control, NULL };
...
cred.bv_val = data->data; cred.bv_len = data->length; i = ldap_sasl_bind(verto_get_private(ev), item->user.dn, LDAP_SASL_SIMPLE, &cred, ctrls, NULL, &item->msgid);
I don't think it is possible to do so by SSSD as it is.
I have a proposal https://github.com/freeipa/freeipa/pull/7200 that enforces OTP over *all* LDAP binds server-side, by effectively assuming this OID is present always in any client LDAP bind.
freeipa-users@lists.fedorahosted.org