Home | History | Annotate | Line # | Download | only in man 
      1  1.1  christos .lf 1 stdin
      2  1.1  christos .TH SLAPO_OTP 5 "2018/6/29" "SLAPO-OTP"
      3  1.1  christos .\" Copyright 2015-2024 The OpenLDAP Foundation.
      4  1.1  christos .\" Portions Copyright 2015 by Howard Chu, Symas Corp. All rights reserved.
      5  1.1  christos .\" Portions Copyright 2018 by Ondej Kuznk, Symas Corp. All rights reserved.
      6  1.1  christos .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
      7  1.1  christos .SH NAME
      8  1.1  christos slapo-otp \- OATH One-Time Password module
      9  1.1  christos .SH SYNOPSIS
     10  1.1  christos .B moduleload
     11  1.1  christos .I otp.la
     12  1.1  christos .SH DESCRIPTION
     13  1.1  christos The
     14  1.1  christos .B otp
     15  1.1  christos module allows time-based one-time password, AKA "authenticator-style", and
     16  1.1  christos HMAC-based one-time password authentication to be used in conjunction with
     17  1.1  christos a standard LDAP password for two-factor authentication.
     18  1.1  christos 
     19  1.1  christos With this module, users would use their password, followed with the one-time
     20  1.1  christos password in the password prompt to authenticate.
     21  1.1  christos 
     22  1.1  christos The password needed for a user to authenticate is calculated based on a counter
     23  1.1  christos (current time in case of TOTP) and a key that is referenced in the user's LDAP
     24  1.1  christos entry. Since the password is based on the time or number of uses, it changes
     25  1.1  christos periodically. Once used, it cannot be used again so keyloggers and
     26  1.1  christos shoulder-surfers are thwarted. A mobile phone application, such as the Google
     27  1.1  christos Authenticator or YubiKey (a
     28  1.1  christos .BR prover ),
     29  1.1  christos can be used to calculate the user's current one-time password, which is
     30  1.1  christos expressed as a (usually six-digit) number.
     31  1.1  christos 
     32  1.1  christos Alternatively, the value can be calculated by some other application with
     33  1.1  christos access to the user's key and delivered to the user through SMS or some other
     34  1.1  christos channel. When prompted to authenticate, the user merely appends the code
     35  1.1  christos provided by the prover at the end of their password when authenticating.
     36  1.1  christos 
     37  1.1  christos This implementation complies with
     38  1.1  christos .B RFC 4226 HOTP HMAC-Based One Time Passwords
     39  1.1  christos and
     40  1.1  christos .B RFC 6238 TOTP Time-based One Time Passwords
     41  1.1  christos and includes support for the SHA-1, SHA-256, and SHA-512 HMAC
     42  1.1  christos algorithms.
     43  1.1  christos 
     44  1.1  christos The HMAC key used in the OTP computation is stored in the oathOTPToken entry referenced in
     45  1.1  christos the user's LDAP entry and the parameters are stored in the oathOTPParams LDAP
     46  1.1  christos entry referenced in the token.
     47  1.1  christos 
     48  1.1  christos .SH CONFIGURATION
     49  1.1  christos Once the module is configured on the database, it will intercept LDAP simple
     50  1.1  christos binds for users whose LDAP entry has any of the
     51  1.1  christos .B oathOTPUser
     52  1.1  christos derived objectlasses attached to it. The attributes linking the user and the
     53  1.1  christos shared secret are:
     54  1.1  christos 
     55  1.1  christos .RS
     56  1.1  christos .TP
     57  1.1  christos .B oathTOTPToken: <dn>
     58  1.1  christos Mandatory for
     59  1.1  christos .BR oathTOTPUser ,
     60  1.1  christos indicates that the named entry is designated to hold the time-based one-time
     61  1.1  christos password shared secret and the last password used.
     62  1.1  christos .TP
     63  1.1  christos .B oathHOTPToken: <dn>
     64  1.1  christos Mandatory for
     65  1.1  christos .BR oathHOTPUser ,
     66  1.1  christos indicates that the named entry is designated to hold the one-time password
     67  1.1  christos shared secret and the last password used.
     68  1.1  christos .TP
     69  1.1  christos .B oathTOTPParams: <dn>
     70  1.1  christos Mandatory for
     71  1.1  christos .BR oathTOTPToken ,
     72  1.1  christos indicates that the named entry is designated to hold the parameters to generate
     73  1.1  christos time-based one-time password shared secret: its length and algorithm to use as
     74  1.1  christos well as the length of each time step and the grace period.
     75  1.1  christos .TP
     76  1.1  christos .B oathHOTPParams: <dn>
     77  1.1  christos Mandatory for
     78  1.1  christos .BR oathHOTPToken ,
     79  1.1  christos indicates that the named entry is designated to hold the parameters to generate
     80  1.1  christos one-time password shared secret: its length and algorithm to use as well as the
     81  1.1  christos permitted number of passwords to skip.
     82  1.1  christos .RE
     83  1.1  christos 
     84  1.1  christos The following parts of the OATH-LDAP schema are implemented.
     85  1.1  christos 
     86  1.1  christos General attributes:
     87  1.1  christos 
     88  1.1  christos .RS
     89  1.1  christos .TP
     90  1.1  christos .B oathSecret: <data>
     91  1.1  christos The shared secret is stored here as raw bytes.
     92  1.1  christos .TP
     93  1.1  christos .B oathOTPLength: <length>
     94  1.1  christos The password length, usually 6.
     95  1.1  christos .TP
     96  1.1  christos .B oathHMACAlgorithm: <OID>
     97  1.1  christos The OID of the hash algorithm to use as defined in RFC 8018.
     98  1.1  christos Supported algorithms include SHA1, SHA224, SHA256, SHA384 and SHA512.
     99  1.1  christos .RE
    100  1.1  christos 
    101  1.1  christos The HOTP attributes:
    102  1.1  christos 
    103  1.1  christos .RS
    104  1.1  christos .TP
    105  1.1  christos .B oathHOTPLookAhead: <number>
    106  1.1  christos The number of successive HOTP tokens that can be skipped.
    107  1.1  christos .TP
    108  1.1  christos .B oathHOTPCounter: <number>
    109  1.1  christos The order of the last HOTP token successfully redeemed by the user.
    110  1.1  christos .RE
    111  1.1  christos 
    112  1.1  christos The TOTP attributes:
    113  1.1  christos 
    114  1.1  christos .RS
    115  1.1  christos .TP
    116  1.1  christos .B oathTOTPTimeStepPeriod: <seconds>
    117  1.1  christos The length of the time-step period for TOTP calculation.
    118  1.1  christos .TP
    119  1.1  christos .B oathTOTPLastTimeStep: <number>
    120  1.1  christos The order of the last TOTP token successfully redeemed by the user.
    121  1.1  christos .TP
    122  1.1  christos .B oathTOTPTimeStepWindow: <number>
    123  1.1  christos The number of time periods around the current time to try when checking the
    124  1.1  christos password provided by the user.
    125  1.1  christos .TP
    126  1.1  christos .B oathTOTPTimeStepDrift: <number>
    127  1.1  christos If the client didn't provide the correct token but it still fit with
    128  1.1  christos oathTOTPTimeStepWindow above, this attribute records the current offset to
    129  1.1  christos provide for slow clock drift of the client device.
    130  1.1  christos .RE
    131  1.1  christos 
    132  1.1  christos .SH "SEE ALSO"
    133  1.1  christos .BR slapd\-config (5).
    134  1.1  christos 
    135  1.1  christos .SH ACKNOWLEDGEMENT
    136  1.1  christos This work was developed by Ondej Kuznk and Howard Chu of Symas Corporation
    137  1.1  christos for inclusion in OpenLDAP Software.
    138  1.1  christos 
    139  1.1  christos This work reuses the OATH-LDAP schema developed by Michael Strder.
    140