rlm_yubikey OTP + LDAP

Peter Lambrechtsen peter at crypt.nz
Tue May 14 22:22:42 CEST 2019 

It looks like you are trying to bind to ldap using the OTP password you
sent.

I suspect that isn't what you want to do unless your ldap backend support
OTP token as the bind password.

My guess is you want to bind as an Administrator user and then lookup the
OTP shared secret attribute against the user and then allow the Yubikey otp

So in the authorize section you want to do a LDAP lookup based on the
username section, then return the Yubikey value from ldap
into &control:Yubikey-Key. I have used jobCode in LDAP as it's an attribute
that isn't used.

Then in the authenticate section you call the Yubikey module and don't call
the ldap module.



On Wed, May 15, 2019 at 8:13 AM cbandara via Freeradius-Users <
freeradius-users at lists.freeradius.org> wrote:

> Hi I am trying to implement a freeradius solution for a firewall. i cant
> find documentation on how to configure yubikeys OTP with ldap. i am getting
> some errors with my config.
> trying to see if there is good documentation out there
> Thanks
> rlm_ldap (ldap): Released connection (6)
> (0) files: users: Matched entry DEFAULT at line 13
> (0)     [files] = ok
> (0) yubikey:   &request:Yubikey-OTP := <<< secret >>>
> (0) yubikey:   &request:User-Password := <<< secret >>>
> (0)     [yubikey] = ok
> (0)     if (ok) {
> (0)     if (ok)  -> TRUE
> (0)     if (ok)  {
> (0)       update control {
> (0)         Auth-Type := yubikey
> (0)       } # update control = noop
> (0)     } # if (ok)  = noop
> (0)   } # authorize = ok
> (0) Found Auth-Type = yubikey
> (0) Found Auth-Type = yubikey
> (0) ERROR: Warning:  Found 2 auth-types on request for user 'chula'
> (0) # Executing group from file /etc/raddb/sites-enabled/default
> (0)   Auth-Type yubikey {
> (0)     [yubikey] = noop
> (0)     update request {
> (0)       User-Password := Yubikey-Public-ID -> 'cccccckirnie'
> (0)     } # update request = noop
> rlm_ldap (ldap): Reserved connection (5)
> (0) ldap: Login attempt by "chula"
> (0) ldap: Using user DN from request "cn=chula,ou=users,dc=xxxx,dc=yyyy"
> (0) ldap: Waiting for bind result...
> (0) ldap: ERROR: Bind credentials incorrect: Invalid credentials
> rlm_ldap (ldap): Released connection (5)
> (0)     [ldap] = reject
> (0)   } # Auth-Type yubikey = reject
> (0) Failed to authenticate the user
> (0) Using Post-Auth-Type Reject
> (0) Post-Auth-Type sub-section not found.  Ignoring.
> (0) # Executing group from file /etc/raddb/sites-enabled/default
>
> Sent with [ProtonMail](https://protonmail.com) Secure Email.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list