• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..03-May-2022-

MakefileH A D03-May-20221.3 KiB5942

READMEH A D25-Oct-20212.3 KiB8854

slapd-totp.cH A D25-Oct-202123.6 KiB1,001791

slapo-totp.5H A D25-Oct-20214.3 KiB11090

README

1TOTP OpenLDAP support
2----------------------
3
4slapd-totp.c provides support for RFC 6238 TOTP Time-based One
5Time Passwords in OpenLDAP using SHA-1, SHA-256, and SHA-512.
6For instance, one could have the LDAP attribute:
7
8userPassword: {TOTP1}GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ
9
10which encodes the key '12345678901234567890'.
11
12It can also encode credentials consisting of a TOTP and a static
13password.  The format for this is:
14
15userPassword: {TOTP1ANDPW}GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ|<some_other_passwd>
16
17where <some_other_passwd> can be any scheme currently understood
18by OpenLDAP.  For example, using '{SHA}5en6G6MezRroT3XKqkdPOmY/BfQ='
19would encode the above TOTP with a static password of 'secret'.  To
20authenticate using this scheme, enter the static password immediately
21followed by the TOTP, for example 'secret123456'.
22
23
24Building
25--------
26
271) Customize the LDAP_SRC variable in Makefile to point to the OpenLDAP
28source root.
29
302) Run 'make' to produce slapd-totp.so
31
323) Copy slapd-totp.so somewhere permanent.
33
344) Edit your slapd.conf (eg. /etc/ldap/slapd.conf), and add:
35
36moduleload ...path/to/slapd-totp.so
37
385) This module replaces the function of the slapo-lastbind overlay. You
39cannot use that overlay on the same database as this one.
40
416) Restart slapd.
42
43
44Configuring
45-----------
46
47The {TOTP1}, {TOTP256}, {TOTP512}, {TOTP1ANDPW}, {TOTP256ANDPW},
48and {TOTP512ANDPW} password schemes should now be recognised.
49
50You can also tell OpenLDAP to use one of these new schemes when processing LDAP
51Password Modify Extended Operations, thanks to the password-hash option in
52slapd.conf. For example:
53
54password-hash	{TOTP1}
55
56TOTP password schemes will only work on databases that have a rootdn and the
57totp overlay configured:
58
59database mdb
60rootdn "..."
61...
62
63overlay totp
64
65
66
67Testing
68-------
69
70The TOTP1 algorithm is compatible with Google Authenticator.
71
72---
73
74This work is part of OpenLDAP Software <http://www.openldap.org/>.
75
76Copyright 2015-2021 The OpenLDAP Foundation.
77Portions Copyright 2015 by Howard Chu, Symas Corp.
78All rights reserved.
79
80Redistribution and use in source and binary forms, with or without
81modification, are permitted only as authorized by the OpenLDAP
82Public License.
83
84A copy of this license is available in the file LICENSE in the
85top-level directory of the distribution or, alternatively, at
86<http://www.OpenLDAP.org/license.html>.
87
88