[Backport][ipa-4-11] ipa-pwd-extop: allow enforcing 2FA-only over LDAP bind #7266
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When authentication indicators were introduced in 2016, ipa-pwd-extop plugin gained ability to reject LDAP BIND when an LDAP client insists the authentication must use an OTP token. This is used by ipa-otpd to ensure Kerberos authentication using OTP method is done with at least two factors (the token and the password). This enfrocement is only possible when an LDAP client sends the LDAP control. There are cases when LDAP clients cannot be configured to send a custom LDAP control during BIND operation. For these clients an LDAP BIND against an account that only has password and no valid token would succeed even if admins intend it to fail. Ability to do LDAP BIND without a token was added to allow users to add their own OTP tokens securely. If administrators require full enforcement over LDAP BIND, it is cannot be achieved with LDAP without sending the LDAP control to do so. Add IPA configuration string, EnforceLDAPOTP, to allow administrators to prevent LDAP BIND with a password only if user is required to have OTP tokens. With this configuration enabled, it will be not possible for users to add OTP token if one is missing, thus ensuring no user can authenticate without OTP and admins will have to add initial OTP tokens to users explicitly. Fixes: https://pagure.io/freeipa/issue/5169 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
In case there is a successful OTP authentication attempt, register it as an operation note on the BIND operation in LDAP. 389-ds then will print a multi-factor authentication note in both access and security logs according to https://www.port389.org/docs/389ds/design/mfa-operation-note-design.html Fixes: https://pagure.io/freeipa/issue/5169 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR was opened automatically because PR #7200 was pushed to master and backport to ipa-4-11 is required.