1SLAPO_OTP(5)                  File Formats Manual                 SLAPO_OTP(5)
2
3
4

NAME

6       slapo-otp - OATH One-Time Password module
7

SYNOPSIS

9       moduleload otp.la
10

DESCRIPTION

12       The otp module allows time-based one-time password, AKA "authenticator-
13       style", and HMAC-based one-time password authentication to be  used  in
14       conjunction  with  a  standard LDAP password for two-factor authentica‐
15       tion.
16
17       With this module, users would use their  password,  followed  with  the
18       one-time password in the password prompt to authenticate.
19
20       The password needed for a user to authenticate is calculated based on a
21       counter (current time in case of TOTP) and a key that is referenced  in
22       the  user's LDAP entry. Since the password is based on the time or num‐
23       ber of uses, it changes periodically. Once  used,  it  cannot  be  used
24       again  so  keyloggers and shoulder-surfers are thwarted. A mobile phone
25       application, such as the Google Authenticator or  YubiKey  (a  prover),
26       can be used to calculate the user's current one-time password, which is
27       expressed as a (usually six-digit) number.
28
29       Alternatively, the value can be calculated by  some  other  application
30       with  access to the user's key and delivered to the user through SMS or
31       some other channel. When prompted to authenticate, the user merely  ap‐
32       pends the code provided by the prover at the end of their password when
33       authenticating.
34
35       This implementation complies with RFC 4226  HOTP  HMAC-Based  One  Time
36       Passwords  and RFC 6238 TOTP Time-based One Time Passwords and includes
37       support for the SHA-1, SHA-256, and SHA-512 HMAC algorithms.
38
39       The HMAC key used in the OTP computation is stored in the  oathOTPToken
40       entry referenced in the user's LDAP entry and the parameters are stored
41       in the oathOTPParams LDAP entry referenced in the token.
42
43

CONFIGURATION

45       Once the module is configured on the database, it will  intercept  LDAP
46       simple  binds for users whose LDAP entry has any of the oathOTPUser de‐
47       rived objectlasses attached to it. The attributes linking the user  and
48       the shared secret are:
49
50
51              oathTOTPToken: <dn>
52                     Mandatory  for oathTOTPUser, indicates that the named en‐
53                     try is designated to hold the time-based  one-time  pass‐
54                     word shared secret and the last password used.
55
56              oathHOTPToken: <dn>
57                     Mandatory  for oathHOTPUser, indicates that the named en‐
58                     try is designated to hold the  one-time  password  shared
59                     secret and the last password used.
60
61              oathTOTPParams: <dn>
62                     Mandatory for oathTOTPToken, indicates that the named en‐
63                     try is designated to  hold  the  parameters  to  generate
64                     time-based  one-time  password  shared secret: its length
65                     and algorithm to use as well as the length of  each  time
66                     step and the grace period.
67
68              oathHOTPParams: <dn>
69                     Mandatory for oathHOTPToken, indicates that the named en‐
70                     try is designated to hold the parameters to generate one-
71                     time  password shared secret: its length and algorithm to
72                     use as well as the permitted number of passwords to skip.
73
74       The following parts of the OATH-LDAP schema are implemented.
75
76       General attributes:
77
78
79              oathSecret: <data>
80                     The shared secret is stored here as raw bytes.
81
82              oathOTPLength: <length>
83                     The password length, usually 6.
84
85              oathHMACAlgorithm: <OID>
86                     The OID of the hash algorithm to use as  defined  in  RFC
87                     8018.  Supported algorithms include SHA1, SHA224, SHA256,
88                     SHA384 and SHA512.
89
90       The HOTP attributes:
91
92
93              oathHOTPLookAhead: <number>
94                     The number of successive HOTP tokens that can be skipped.
95
96              oathHOTPCounter: <number>
97                     The order of the last HOTP token successfully redeemed by
98                     the user.
99
100       The TOTP attributes:
101
102
103              oathTOTPTimeStepPeriod: <seconds>
104                     The length of the time-step period for TOTP calculation.
105
106              oathTOTPLastTimeStep: <number>
107                     The order of the last TOTP token successfully redeemed by
108                     the user.
109
110              oathTOTPTimeStepWindow: <number>
111                     The number of time periods around the current time to try
112                     when checking the password provided by the user.
113
114              oathTOTPTimeStepDrift: <number>
115                     If  the  client  didn't  provide the correct token but it
116                     still fit with oathTOTPTimeStepWindow above, this  attri‐
117                     bute records the current offset to provide for slow clock
118                     drift of the client device.
119
120

SEE ALSO

122       slapd-config(5).
123
124

ACKNOWLEDGEMENT

126       This work was developed by Ondřej Kuzník and Howard Chu of Symas Corpo‐
127       ration for inclusion in OpenLDAP Software.
128
129       This work reuses the OATH-LDAP schema developed by Michael Ströder.
130
131
132
133SLAPO-OTP                          2018/6/29                      SLAPO_OTP(5)