[Freeipa-devel] [REVIEW] Intial stab towards Authentication Indicators

Fri Feb 26 15:24:09 UTC 2016

On Fri, 2016-02-26 at 10:12 -0500, Simo Sorce wrote:
> On Fri, 2016-02-26 at 09:30 -0500, Nathaniel McCallum wrote:
> > 
> > On Thu, 2016-02-25 at 16:51 -0500, Simo Sorce wrote:
> > > Questions:
> > > - Should the control specify what kind of auth specifically
> > > should be
> > > required ?
> > I had also wondered that. I'm certainly not against it. But I'd
> > probably prefer a simple utf8 string value to avoid parsing
> > complexity.
> > 
> > > 
> > > - Will it make sense in future to have different strength otp-
> > > like
> > > second factors and have ipa-otpd be able to specify which one it
> > > is
> > > expecting to be validated ?
> > I'm personally hoping that we can deprecate ipa-otpd after SPAKE
> > lands.
> > Post-SPAKE validations will require a method for validating OTP-
> > only
> > (excluding password). This will probably be an extop. The same will
> > be
> > true for all new second factors.
> Why an extop ? I was thinking you'd do a bind with this same control
> with a string that specifies you want to check only the second
> factor.
> (The result of the bind will be positive but you won't be logged in
> as
> the user the connection will still be marked anonymous.)

How can you do this anonymously? You need to know which tokens to
validate. This requires a user dn. Besides, I would think we also want
to be bound *before* performing this operation. Otherwise, we could
allow brute force tries on the 2nd factor.

I was thinking:
1. Bind as the entity validating the 2nd factor.
2. Extop which takes the:
   * user dn
   * type of 2nd factor
   * validation data
   * dn of 2nd factor (optional)

This provides an audit trail of who is validating 2nd factors.

> > I'm thus not sure if we'll ever add more second factors to the
> > existing
> > simple bind mechanism.
> LDAP binds still need to test both factors if they are required ...

We would grandfather OTP. But all new 2FA would require GSSAPI (using
AIs) to use LDAP.

> > > - Even if ipa-otpd will not grow such a feature, I see this
> > > control
> > > could be useful for pure LDAP auth clients, so perhaps a
> > > different
> > > kind
> > > of client may want to set this control ? Perhaps one day we can
> > > have
> > > a
> > > way to do GSSAPI auth and check that the AI on the ldap ticket
> > > was a
> > > 2FA
> > > and then DS will refuse login if the otp AI was missing on the
> > > ticket
> > > it
> > > received and the control requires it ? (could be used for the IPA
> > > UI
> > > connection to LDAP maybe ?)
> > That seems to me like a decision LDAP can make internally. No?
> Not if the user has optional 2FA and you want to enforce the second
> factor only for certain operations from the framework (like say
> changing
> passwords or other more privileged operations).

Why can't we just use GSSAPI with AIs?