1TOTP OpenLDAP support 2---------------------- 3 4slapd-totp.c provides support for RFC 6238 TOTP Time-based One 5Time Passwords in OpenLDAP using SHA-1, SHA-256, and SHA-512. 6For instance, one could have the LDAP attribute: 7 8userPassword: {TOTP1}GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ 9 10which encodes the key '12345678901234567890'. 11 12It can also encode credentials consisting of a TOTP and a static 13password. The format for this is: 14 15userPassword: {TOTP1ANDPW}GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ|<some_other_passwd> 16 17where <some_other_passwd> can be any scheme currently understood 18by OpenLDAP. For example, using '{SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=' 19would encode the above TOTP with a static password of 'secret'. To 20authenticate using this scheme, enter the static password immediately 21followed by the TOTP, for example 'secret123456'. 22 23 24Building 25-------- 26 271) Customize the LDAP_SRC variable in Makefile to point to the OpenLDAP 28source root. 29 302) Run 'make' to produce slapd-totp.so 31 323) Copy slapd-totp.so somewhere permanent. 33 344) Edit your slapd.conf (eg. /etc/ldap/slapd.conf), and add: 35 36moduleload ...path/to/slapd-totp.so 37 385) This module replaces the function of the slapo-lastbind overlay. You 39cannot use that overlay on the same database as this one. 40 416) Restart slapd. 42 43 44Configuring 45----------- 46 47The {TOTP1}, {TOTP256}, {TOTP512}, {TOTP1ANDPW}, {TOTP256ANDPW}, 48and {TOTP512ANDPW} password schemes should now be recognised. 49 50You can also tell OpenLDAP to use one of these new schemes when processing LDAP 51Password Modify Extended Operations, thanks to the password-hash option in 52slapd.conf. For example: 53 54password-hash {TOTP1} 55 56TOTP password schemes will only work on databases that have a rootdn and the 57totp overlay configured: 58 59database mdb 60rootdn "..." 61... 62 63overlay totp 64 65 66 67Testing 68------- 69 70The TOTP1 algorithm is compatible with Google Authenticator. 71 72--- 73 74This work is part of OpenLDAP Software <http://www.openldap.org/>. 75 76Copyright 2015-2021 The OpenLDAP Foundation. 77Portions Copyright 2015 by Howard Chu, Symas Corp. 78All rights reserved. 79 80Redistribution and use in source and binary forms, with or without 81modification, are permitted only as authorized by the OpenLDAP 82Public License. 83 84A copy of this license is available in the file LICENSE in the 85top-level directory of the distribution or, alternatively, at 86<http://www.OpenLDAP.org/license.html>. 87 88