[389-users] Secondary passwords - like Google's application specific passwords

Jan Tomasek jan at tomasek.cz
Wed Nov 6 16:34:40 UTC 2013 

Hello,

please, does anybyody any idea how to implement this with 389?

Thanks

Jan

On 11/04/2013 07:40 PM, Jan Tomasek wrote:
> Hi,
>
> my question about PAM, libscript... come from my idea: I would like to
> implement secondary passwords in very similar way like Google's
> application specific passwords works. [1]
>
> We are using LDAP for centralized user management. Systems providing
> services to users are verified against this LDAP. Users are saving those
> passwords within mail clients, in workstation, in tablet, ... we would
> like to provide option to users to not store their main password within
> their clients. We would like to offer them alternative passwords working
> for email, calendar client and so on on specific device. In case of
> compromising one of devices - user will have only to revoke password for
> that device.
>
> In short. I want to users offer possibility to generate secondary
> passwords working for email, and so on. I expect them to create multiple
> passwords marked with some nickname, like:
>    phone-email
>    tablet-email
>    phone-calendar
> and so on. Those passwords should work with standard LDAP bind but not
> necessarily on the same suffix and/or where primary LDAP is. We would
> like to split primary LDAP passwors used for financial and high trust
> applications from those serving email and calendar.
>
> How to do something like this with 389 DS?
>
> My idea is this:
>
> uid=semik,dc=neco
> objectClass: inetOrgPerson
> cn: Jan Tomasek
> sn: Tomasek
> uid: semik
> userPassword: {SSHA}...
>
> dc=12345,uid=semik,dc=neco
> objectClass: appPassword
> dc: 12345
> password: some-generated-password1
> passwordLabel: phone-email
>
> dc=12395,uid=semik,dc=neco
> objectClass: appPassword
> dc: 12395
> password: some-generated-password2
> passwordLabel: tablet-email
>
> dc=12399,uid=semik,dc=neco
> objectClass: appPassword
> dc: 12399
> password: some-generated-password3
> passwordLabel: phone-calendar
>
>
> I tried to implement this as PAM Pass through authentication. It works
> but it is very fragile.
>
> I'm looking for more robust and faster way. I know it is possible to do
> this with PreOperation Plugin but maybe there is some easier way. Or
> maybe already someone implemented such plugin.
>
> Any comments? Ideas?
>
>
> Thanks
>
> [1] https://support.google.com/accounts/answer/185833

More information about the 389-users mailing list