This Banner is For Sale !!
Get your ad here for a week in 20$ only and get upto 15k traffic Daily!!!

Time-based one-time passwords (TOTP) with OpenLDAP


Two-factor authentication (2FA) is a technique of enhancing the safety of on-line accounts by requiring two forms of credentials: one thing you already know, corresponding to a password, and one thing you’ve got, corresponding to a tool. One frequent manner of implementing the second issue is utilizing time-based one-time passwords (TOTP), that are distinctive numeric codes which can be generated based mostly on the present time and a shared secret key. TOTP codes are normally displayed by an authentication app in your smartphone or pill, they usually expire after a brief time frame. TOTP is an open customary that’s outlined in RFC 6238 and supported by many purposes and companies.

On this article, we’ll set up and configure OpenLDAP on Ubuntu 22.04 and implement TOTP. To implement OTP we want OpenLDAP 2.5 or higher.

NOTICE: This information is for instructional functions solely and is NOT meant for use in manufacturing environments.



Set up and configure OpenLDAP

Run the next command:

sudo apt set up slapd ldap-utils
Enter fullscreen mode

Exit fullscreen mode

Enter a brand new password:

Admin password prompt

To reconfigure the default configuration, run:

sudo dpkg-reconfigure slapd
Enter fullscreen mode

Exit fullscreen mode

You may be requested to omit OpenLDAP configuration, choose No.

Initial configuration

Enter your area identify:

Domain name

Enter your group identify:

Organization name

Present the administration password after which verify it:

Admin password

For this information, whenever you get prompted to take away the database when slapd is purged, choose Sure:

Purge database

And eventually choose Sure:

Move old database

Open ldap.conf with a textual content editor:

sudo vim /and so on/ldap/ldap.conf
Enter fullscreen mode

Exit fullscreen mode

Discover and uncomment the next traces:

#BASE   dc=instance,dc=com
#URI    ldap://ldap.instance.com ldap://ldap-provider.instance.com:666
Enter fullscreen mode

Exit fullscreen mode

Edit these entries, substitute BASE together with your area identify, and URI with the URI to your ldap server:

BASE    dc=mydomain,dc=com
URI     ldap://ldap.mydomain.com
Enter fullscreen mode

Exit fullscreen mode

Save the modifications and exit the editor. You would possibly have to edit the hosts file and supply the FQDN to your LDAP server and its IP deal with:

sudo vim /and so on/hosts
Enter fullscreen mode

Exit fullscreen mode

192.168.1.1 ldap.mydomain.com
Enter fullscreen mode

Exit fullscreen mode



Creating consumer accounts

Create a file:

vim users-ou.ldif
Enter fullscreen mode

Exit fullscreen mode

Enter the next contents:

dn: ou=individuals,dc=mydomain,dc=com
objectClass: organizationalUnit
objectClass: high
ou: individuals

dn: ou=teams,dc=mydomain,dc=com
objectClass: organizationalUnit
objectClass: high
ou: teams
Enter fullscreen mode

Exit fullscreen mode

Save and shut the file. Now run the next command:

ldapadd -x -D cn=admin,dc=mydomain,dc=com -W -f users-ou.ldif
Enter fullscreen mode

Exit fullscreen mode

And enter your administration password. You must see an output like this:

Addin OU

You should utilize the next command to confirm:

ldapsearch -Q -LLL -Y EXTERNAL -H ldapi://
Enter fullscreen mode

Exit fullscreen mode

That ought to print one thing like this:

ldapsearch ou

Now create a password utilizing the slappasswd command. Run the command and enter a password, then verify it. You must get one thing like this:

slappasswd

Copy the hash. Now create one other file:

vim consumer.ldif
Enter fullscreen mode

Exit fullscreen mode

Enter the next contents:

dn: uid=johndoe,ou=individuals,dc=mydomain,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: particular person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: high
homeDirectory: /residence/john
givenName: John
sn: Doe
cn: John Doe
uid: johndoe
displayName: John Doe
uidNumber: 8000
gidNumber: 8000
userPassword: {SSHA}eLp4NBSK1SV3VOFY3iUxI8P73vmOW/Lh
Enter fullscreen mode

Exit fullscreen mode

Exchange {SSHA}eLp4NBSK1SV3VOFY3iUxI8P73vmOW/Lh with hash you copied earlier. Run the next command to create a consumer account:

ldapadd -x -D cn=admin,dc=mydomain,dc=com -W -f consumer.ldif
Enter fullscreen mode

Exit fullscreen mode

Create one other file:

vim group.ldif
Enter fullscreen mode

Exit fullscreen mode

Enter the contents beneath:

dn: cn=appusers,ou=teams,dc=mydomain,dc=com
objectClass: posixGroup
objectClass: high
cn: appusers
gidNumber: 10000
memberUid: uid=johndoe,ou=individuals,dc=mydomain,dc=com
Enter fullscreen mode

Exit fullscreen mode

Apply the modifications to create a bunch:

ldapadd -x -D cn=admin,dc=mydomain,dc=com -W -f group.ldif
Enter fullscreen mode

Exit fullscreen mode

You should utilize ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:// to confirm the modifications or use graphical instruments such because the Apache Directory Studio to confirm modifications and handle your LDAP server.

Apache Directory Studio



Configure TOTP

First otp module have to be loaded. Create a file:

vim otpload.ldif
Enter fullscreen mode

Exit fullscreen mode

Enter the next contents:

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: otp.la
Enter fullscreen mode

Exit fullscreen mode

Apply the modifications:

sudo ldapmodify -Y EXTERNAL -H ldapi:// -D cn=config -W -f otpload.ldif
Enter fullscreen mode

Exit fullscreen mode

The output ought to be like this:

otp load

Now the otp overlay have to be added to databases. Create one other file:

vim overlay.ldif
Enter fullscreen mode

Exit fullscreen mode

Enter the next contents:

dn: olcOverlay=otp,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
Enter fullscreen mode

Exit fullscreen mode

Run the next command:

sudo ldapadd -Y EXTERNAL -H ldapi:// -D cn=config -W  -f overlay.ldif
Enter fullscreen mode

Exit fullscreen mode

To set the otp parameters, create a file:

vim totp.ldif
Enter fullscreen mode

Exit fullscreen mode

And enter the next contents:

dn: ou=individuals,dc=mydomain,dc=com
changetype: modify
add: objectClass
objectClass: oathTOTPParams
-
add: oathOTPLength
oathOTPLength: 6
-
add: oathHMACAlgorithm
oathHMACAlgorithm: 1.2.840.113549.2.7
-
add: oathTOTPTimeStepPeriod
oathTOTPTimeStepPeriod: 30
-
add: oathTOTPTimeStepWindow
oathTOTPTimeStepWindow: 3
Enter fullscreen mode

Exit fullscreen mode

Run the command beneath to use the configuration:

ldapmodify -x -D cn=admin,dc=mydomain,dc=com -W -f totp.ldif
Enter fullscreen mode

Exit fullscreen mode

To have the ability to use TOTP, customers want a key. This secret’s shared between the server and the consumer. The next command can be utilized to generate the important thing:

openssl rand 80 > key
Enter fullscreen mode

Exit fullscreen mode

To make use of the important thing, create a file:

vim token.ldif
Enter fullscreen mode

Exit fullscreen mode

Enter the contents like beneath:

dn: uid=johndoe,ou=individuals,dc=mydomain,dc=com
changetype: modify
add: objectClass
objectClass: oathTOTPToken
-
add: oathTOTPParams
oathTOTPParams: ou=individuals,dc=mydomain,dc=com
-
add: oathSecret
oathSecret:< file:key
-
add: objectClass
objectClass: oathTOTPUser
-
add: oathTOTPToken
oathTOTPToken: uid=johndoe,ou=individuals,dc=mydomain,dc=com
Enter fullscreen mode

Exit fullscreen mode

The next command applies the modifications:

ldapmodify -x -D cn=admin,dc=mydomain,dc=com -W -f token.ldif
Enter fullscreen mode

Exit fullscreen mode

You should utilize qrencode to generate the QR code. First set up it with the next command:

sudo apt set up qrencode
Enter fullscreen mode

Exit fullscreen mode

Use the instructions beneath to generate the QR code:

base32 key > bkey
echo -n "otpauth://totp/myorg:johhdoe@mydomain.com?secret=$(<bkey)&issuer=myorg&interval=30&digits=6&algorithm=SHA1" | qrencode -t ansiutf8
Enter fullscreen mode

Exit fullscreen mode

QR

Now you possibly can scan the QR code with an authenticator app such because the Google Authenticator.



The right way to authenticate?

Everytime you get requested to supply your password, enter your password adopted by the code you get from the authenticator app. For instance in case your password is abcdef and the code that you just get from the app is 123456, enter abcdef123456 as your password.

The Article was Inspired from tech community site.
Contact us if this is inspired from your article and we will give you credit for it for serving the community.

This Banner is For Sale !!
Get your ad here for a week in 20$ only and get upto 10k Tech related traffic daily !!!

Leave a Reply

Your email address will not be published. Required fields are marked *

Want to Contribute to us or want to have 15k+ Audience read your Article ? Or Just want to make a strong Backlink?