ВХОД ДЛЯ КЛИЕНТОВ

OATH HOTP LDAP Plugin


Background

For some time, there have been different multi-factor authentication solutions around. One-time password (OTP) generators seem to be the most simple, accessible and efficient ones, most oftenly implemented as a token. A lot of solutions conform to HOTP The HMAC-Based One-Time Password (HOTP) algorithm open standard, developed by Initiative for Open Authentication (OATH). In our practice, we have faced the problem of OTP enablement multiple times.

Problem

Our aim is to provide OATH HOTP authentication for selected applications and services. The minimal set consists of:

  • webmail stack ( Dovecot Dovecot is an open source IMAP and POP3 email server for Linux/UNIX-like systems, written with security primarily in mind + RoundCube) The browser-based multilingual IMAP client with an application-like user interface ;
  • virtual private network service ( OpenVPN OpenVPN is an open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. );
  • enterprise applications Java EE Java Platform, Enterprise Edition (Java EE) is the standard in community-driven enterprise software. ;
  • Linux PAM Pluggable Authentication Modules for Linux stack (for workstation user authentication).

The solution has to be as universal as possible, so that it is easily applied to other common software. Token lifecycle management (registration, enrollment, synchronization, revocation) should be provided, having modern and usable interface. The solution has to satisfy enterprise requirements like security, scalability, availability and robustness. Finally, it should be opensource-based.

Solution

First of all we had to choose an authentication mechanism that would be supported by all of the above services and applications. Further, that mechanism had to be extended with OATH HOTP support. Finally, token management GUI had to be developed for that mechanism.

LDAP turned out to be a perfect match. LDAP is a hierarchical, tree-like database to store enterprise data, together with network protocol and standard authentication mechanism. LDAP is supported by widest range of enterprise client and server software. There exist several open-source LDAP implementations; most notable are OpenLDAP OpenLDAP Software is an open source implementation of the Lightweight Directory Access Protocol. , 389 Directory Server The enterprise-class Open Source LDAP server for Linux, developed in the framework of the Fedora-project, Apache Directory Server ApacheDS is an extensible and embeddable directory server entirely written in Java. . All of them are extensible, i.e. they allow to modify and extend their behavior (including authentication) by writing modules. There also exists a standard API for extensions, called SLAPI, that is supported by OpenLDAP, 389 Directory Server and some commercial LDAP servers, including RedHat Directory ServerRed Hat® Directory Server is an LDAP-compliant server that centralizes user identity and application information. and Oracle Directory ServerOracle Directory Server Enterprise Edition (formerly SUN Directory Server Enterprise Edition) is the best known directory server with proven large deployments in carrier and enterprise environments..

A SLAPI plugin is written using C language. To implement a new authentication mechanism, LDAP bind request is intercepted and processed by a plugin. Token and user data is stored in the same LDAP directory, using both standard schemas (for user data) and custom schema (for token data). An LDAP extended operation (EXOP) is implemented to support token synchronization. For token management GUI, we have chosen Java EE and HTML5. A GUI is implemented as a web application, which simplifies deployment - no software installation is required for client workstations. At the same time, HTML5 allows to create rich, modern and highly usable GUIs.

Distributed under GNU GPL, version 3.0.