Highlighted
Absent Member.
Absent Member.
412 views

Password-attached OTP for LDAP auth: possible w/ NMAS?


Hi there,

I need an LDAP server capable of authenticating used password-attached
OTP using OATH HOTP algorithm ('HOTP - Wikipedia, the free encyclopedia'
(http://en.wikipedia.org/wiki/HOTP)) as described in 'RFC 4226 - HOTP:
An HMAC-Based One-Time Password Algorithm'
(http://tools.ietf.org/html/rfc4226). The solution must be implemented
directly in the directory server to eliminate the need to have
additional cluster of OTP servers because in fact there are no reasons
to have separate OTP server, there are only reasons not to have it (it
makes the whole solution too complicated a brings unacceptable
additional risks because the OTP cluster needs to sepearately solve many
tasks that are already solved in the directory cluster, e.g. replication
and HA).

The idea seems quite simple to implement, the only change needed to do
this is to extend the password-checking logic to split the received
password with attachet OTP of fixed length to the password and OTP and
separately check each of these.

The best solution would most probably be to have the build-in NMAS
password-checking method (0x7) support password attached OTP (all that's
needed to do this is to have two additional per-user attributes
containing the shared secret and sequence counter, a few other
container-level attributes for common settings (OTP length, look-ahead
synchronization window size), and a little code that will split the OTP
from the password, check it and update the counter on success.
Unfortunatelly there seems to be no support for this in current versions
of eDirectory and there's no indicaton that this support is to be added
in future versions.

I've investigated the possibility of adding password attached OTP
support to eDirectory using NMAS, but so far it seems to be impossible,
because the LDAP auth seems to be an NMAS client supporting only NMAS
methods 0x7 (the NMAS method to check a password called NDS for some
reason) and 0x0 (unable to find out what's that), while there's no way
to make a LSM supporting these methods - an LSM with method ID 0x0
cannot be installed, while an LSM providing method ID 0x7 seems to
override everything but the method's code (installing such an LSM can
change method description, vendor, grade and other properties, but the
original code - LSM00000007 from libnmas.so - is still in use, LSM's
LSM00000007 is never called). Overriding the default password-checking
method also seems to be quite a bad idea considering that one would
either have to reimplement all its undocumeted features (password
expiration, intruder detection) or replace them with much simpler
password checking implementaton.

Is there some way to make the LDAP NMAS client support other methods
than 0x7?

And if the answer is yes, is it possible to call other login methods
from a module-provided login method (e.g. routing LDAP auth to method
LSM0000000x which wil just check the OTP checking, store the password
without OTP using MAF_PutAttribute(mh, NMAS_AID_PASSWORD, ...) and then
call original LSM00000007 to check the password)?

Or if the answer is no, is there some other way to make eDirectory
support OATH HOTP for LDAP authentication without the need to have a
separate OTP server?


--
vblaha
------------------------------------------------------------------------
vblaha's Profile: http://forums.novell.com/member.php?userid=69207
View this thread: http://forums.novell.com/showthread.php?t=403674

Labels (1)
0 Likes
6 Replies
Absent Member.
Absent Member.

Re: Password-attached OTP for LDAP auth: possible w/ NMAS?

I think it is possible, but I have not done it.

Some resources you might check:
Developing an NMAS Method
http://www.novell.com/coolsolutions/feature/16005.html

NMAS SDK
http://developer.novell.com/wiki/index.php/Novell_Modular_Authentication_Service

NMAS DOCs
http://developer.novell.com/documentation/nmas/index.html


-jim

On 3/4/2010 6:56 AM, vblaha wrote:
>
> Hi there,
>
> I need an LDAP server capable of authenticating used password-attached
> OTP using OATH HOTP algorithm ('HOTP - Wikipedia, the free encyclopedia'
> (http://en.wikipedia.org/wiki/HOTP)) as described in 'RFC 4226 - HOTP:
> An HMAC-Based One-Time Password Algorithm'
> (http://tools.ietf.org/html/rfc4226). The solution must be implemented
> directly in the directory server to eliminate the need to have
> additional cluster of OTP servers because in fact there are no reasons
> to have separate OTP server, there are only reasons not to have it (it
> makes the whole solution too complicated a brings unacceptable
> additional risks because the OTP cluster needs to sepearately solve many
> tasks that are already solved in the directory cluster, e.g. replication
> and HA).
>
> The idea seems quite simple to implement, the only change needed to do
> this is to extend the password-checking logic to split the received
> password with attachet OTP of fixed length to the password and OTP and
> separately check each of these.
>
> The best solution would most probably be to have the build-in NMAS
> password-checking method (0x7) support password attached OTP (all that's
> needed to do this is to have two additional per-user attributes
> containing the shared secret and sequence counter, a few other
> container-level attributes for common settings (OTP length, look-ahead
> synchronization window size), and a little code that will split the OTP
> from the password, check it and update the counter on success.
> Unfortunatelly there seems to be no support for this in current versions
> of eDirectory and there's no indicaton that this support is to be added
> in future versions.
>
> I've investigated the possibility of adding password attached OTP
> support to eDirectory using NMAS, but so far it seems to be impossible,
> because the LDAP auth seems to be an NMAS client supporting only NMAS
> methods 0x7 (the NMAS method to check a password called NDS for some
> reason) and 0x0 (unable to find out what's that), while there's no way
> to make a LSM supporting these methods - an LSM with method ID 0x0
> cannot be installed, while an LSM providing method ID 0x7 seems to
> override everything but the method's code (installing such an LSM can
> change method description, vendor, grade and other properties, but the
> original code - LSM00000007 from libnmas.so - is still in use, LSM's
> LSM00000007 is never called). Overriding the default password-checking
> method also seems to be quite a bad idea considering that one would
> either have to reimplement all its undocumeted features (password
> expiration, intruder detection) or replace them with much simpler
> password checking implementaton.
>
> Is there some way to make the LDAP NMAS client support other methods
> than 0x7?
>
> And if the answer is yes, is it possible to call other login methods
> from a module-provided login method (e.g. routing LDAP auth to method
> LSM0000000x which wil just check the OTP checking, store the password
> without OTP using MAF_PutAttribute(mh, NMAS_AID_PASSWORD, ...) and then
> call original LSM00000007 to check the password)?
>
> Or if the answer is no, is there some other way to make eDirectory
> support OATH HOTP for LDAP authentication without the need to have a
> separate OTP server?
>
>

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Password-attached OTP for LDAP auth: possible w/ NMAS?


Thanks for links, I've already read them all but they don't give me an
answer. I've also found a lot of maybe even more useful & up-to-date
documents at 'ldapwiki: Main' (http://ldapwiki.willeke.com/),
unfortunately that's still not enough.

The problem is that the LDAP authentication looks like an NMAS LCM
supporting only methods 0x7 and 0x0 (in ndstrace terms: "Client can do:
0x7 0x0") , which means that eDirectory won't allow it to talk to an LSM
providing a different method.

I've already used to SDK to build my own test LSM which is basically a
stripped-down version of lsmcpwd which does only MAF_Begin, MAF_End and
reports success (so that the login should succeed regardless of the
password given because it is not checked at all).

However, it seems impossible to make LDAP authentication talk to my
LSM, if I build my LSM so that it provides LSM00000000 and try to
install it with methodID = 0, nmasinst just fails, it seems that it is
not possible to install a method with zero ID .

If I build my LSM to provide LSM00000007 with methodID = 7, I can
install it , but the code is never used as described above. And even if
it were used, there would be at least two more problems:

1) I would lose the original NMAS NDS method functionality for the
entire tree, having to do all password checking stuff in my replacement
method.

2) I quite doubt that Novell would ever sign such method to be used in
non-debug mode.

So there seems to be just a few solutions for the problem:

a) Make eDirectory's LCM-like component of LDAP authentication support
more login methods so that it could authenticate to a method provided by
an LSM (right now it handles only methods 0 and 7 which AFAIK can't be
supplied by an NMAS LSM).

b) Wait until eDirectory comes with built-in support for OATH HOTP
attached to password.

c) Replace eDirectory with openldap and add the HOTP support there.

I would personally prefer a) as we may not have enoug time for b) and
there are also some reasons against c).

Any ideas?

Jim Willeke;1941696 Wrote:
> I think it is possible, but I have not done it.
>
> Some resources you might check:
> Developing an NMAS Method
> 'Cool Solutions: Developing an NMAS Method'
> (http://www.novell.com/coolsolutions/feature/16005.html)
>
> NMAS SDK
> 'Novell Modular Authentication Service - Developer Community'
> (http://developer.novell.com/wiki/index.php/Novell_Modular_Authentication_Service)
>
> NMAS DOCs
> 'Novell Documentation'
> (http://developer.novell.com/documentation/nmas/index.html)
>
>
> -jim
>
>



--
vblaha
------------------------------------------------------------------------
vblaha's Profile: http://forums.novell.com/member.php?userid=69207
View this thread: http://forums.novell.com/showthread.php?t=403674

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Password-attached OTP for LDAP auth: possible w/ NMAS?

Glad to know "my" wiki was helpful. 😉

I am anxious what you can work out.

Perhaps we should move this to the NMAS forum.
Although AB is usually around here to.

Maybe he can get some NMAS engineers to comment?

Thanks
-jim

On 3/4/2010 9:56 AM, vblaha wrote:
>
> Thanks for links, I've already read them all but they don't give me an
> answer. I've also found a lot of maybe even more useful& up-to-date
> documents at 'ldapwiki: Main' (http://ldapwiki.willeke.com/),
> unfortunately that's still not enough.
>
> The problem is that the LDAP authentication looks like an NMAS LCM
> supporting only methods 0x7 and 0x0 (in ndstrace terms: "Client can do:
> 0x7 0x0") , which means that eDirectory won't allow it to talk to an LSM
> providing a different method.
>
> I've already used to SDK to build my own test LSM which is basically a
> stripped-down version of lsmcpwd which does only MAF_Begin, MAF_End and
> reports success (so that the login should succeed regardless of the
> password given because it is not checked at all).
>
> However, it seems impossible to make LDAP authentication talk to my
> LSM, if I build my LSM so that it provides LSM00000000 and try to
> install it with methodID = 0, nmasinst just fails, it seems that it is
> not possible to install a method with zero ID .
>
> If I build my LSM to provide LSM00000007 with methodID = 7, I can
> install it , but the code is never used as described above. And even if
> it were used, there would be at least two more problems:
>
> 1) I would lose the original NMAS NDS method functionality for the
> entire tree, having to do all password checking stuff in my replacement
> method.
>
> 2) I quite doubt that Novell would ever sign such method to be used in
> non-debug mode.
>
> So there seems to be just a few solutions for the problem:
>
> a) Make eDirectory's LCM-like component of LDAP authentication support
> more login methods so that it could authenticate to a method provided by
> an LSM (right now it handles only methods 0 and 7 which AFAIK can't be
> supplied by an NMAS LSM).
>
> b) Wait until eDirectory comes with built-in support for OATH HOTP
> attached to password.
>
> c) Replace eDirectory with openldap and add the HOTP support there.
>
> I would personally prefer a) as we may not have enoug time for b) and
> there are also some reasons against c).
>
> Any ideas?
>
> Jim Willeke;1941696 Wrote:
>> I think it is possible, but I have not done it.
>>
>> Some resources you might check:
>> Developing an NMAS Method
>> 'Cool Solutions: Developing an NMAS Method'
>> (http://www.novell.com/coolsolutions/feature/16005.html)
>>
>> NMAS SDK
>> 'Novell Modular Authentication Service - Developer Community'
>> (http://developer.novell.com/wiki/index.php/Novell_Modular_Authentication_Service)
>>
>> NMAS DOCs
>> 'Novell Documentation'
>> (http://developer.novell.com/documentation/nmas/index.html)
>>
>>
>> -jim
>>
>>

>
>

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Password-attached OTP for LDAP auth: possible w/ NMAS?


So far it seems no NMAS engineers around here... Where can I find the
NMAS forum you mentioned? I don't see DEV: NMAS, but if there's a better
place for this discussion, I definitely agree with moving the discussion
there.

Jim Willeke;1941864 Wrote:
> Glad to know "my" wiki was helpful. 😉
>
> I am anxious what you can work out.
>
> Perhaps we should move this to the NMAS forum.
> Although AB is usually around here to.
>
> Maybe he can get some NMAS engineers to comment?
>
> Thanks
> -jim



--
vblaha
------------------------------------------------------------------------
vblaha's Profile: http://forums.novell.com/member.php?userid=69207
View this thread: http://forums.novell.com/showthread.php?t=403674

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Password-attached OTP for LDAP auth: possible w/ NMAS?

novell.support.modular-authentication-services

-jim

On 3/10/2010 5:36 AM, vblaha wrote:
>
> So far it seems no NMAS engineers around here... Where can I find the
> NMAS forum you mentioned? I don't see DEV: NMAS, but if there's a better
> place for this discussion, I definitely agree with moving the discussion
> there.
>
> Jim Willeke;1941864 Wrote:
>> Glad to know "my" wiki was helpful. 😉
>>
>> I am anxious what you can work out.
>>
>> Perhaps we should move this to the NMAS forum.
>> Although AB is usually around here to.
>>
>> Maybe he can get some NMAS engineers to comment?
>>
>> Thanks
>> -jim

>
>

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Password-attached OTP for LDAP auth: possible w/ NMAS?


Happy (& even proud) to inform that this problem has been solved by
NMAS 3.3.3, which brings HOTP support into eDirectory:

http://www.novell.com/documentation/nmas33/pdfdoc/admin/admin.pdf
http://forums.novell.com/non-support/whats-new/product-patches/427652-5084670-novell-modular-authentication-service-nmas-3-3-3-a.html

Thanks Novell!

Jim Willeke;1945285 Wrote:
> novell.support.modular-authentication-services
>
> -jim
>
> On 3/10/2010 5:36 AM, vblaha wrote:
> >
> > So far it seems no NMAS engineers around here... Where can I find

> the
> > NMAS forum you mentioned? I don't see DEV: NMAS, but if there's a

> better
> > place for this discussion, I definitely agree with moving the

> discussion
> > there.
> >
> > Jim Willeke;1941864 Wrote:
> >> Glad to know "my" wiki was helpful. 😉
> >>
> >> I am anxious what you can work out.
> >>
> >> Perhaps we should move this to the NMAS forum.
> >> Although AB is usually around here to.
> >>
> >> Maybe he can get some NMAS engineers to comment?
> >>
> >> Thanks
> >> -jim

> >
> >



--
vblaha
------------------------------------------------------------------------
vblaha's Profile: http://forums.novell.com/member.php?userid=69207
View this thread: http://forums.novell.com/showthread.php?t=403674

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.