Provided by: slapd_2.6.9+dfsg-2ubuntu1_amd64 bug

NAME
       slapo-otp - OATH One-Time Password module


SYNOPSIS
       moduleload otp.la


DESCRIPTION
       The  otp  module  allows time-based one-time password, AKA "authenticator-style", and HMAC-based one-time
       password authentication to  be  used  in  conjunction  with  a  standard  LDAP  password  for  two-factor
       authentication.

       With  this  module,  users  would use their password, followed with the one-time password in the password
       prompt to authenticate.

       The password needed for a user to authenticate is calculated based on a counter (current time in case  of
       TOTP)  and  a key that is referenced in the user's LDAP entry. Since the password is based on the time or
       number of uses, it changes periodically. Once used, it cannot be used again so keyloggers  and  shoulder-
       surfers are thwarted. A mobile phone application, such as the Google Authenticator or YubiKey (a prover),
       can  be  used  to  calculate  the user's current one-time password, which is expressed as a (usually six-
       digit) number.

       Alternatively, the value can be calculated by some other application with access to the  user's  key  and
       delivered  to  the user through SMS or some other channel. When prompted to authenticate, the user merely
       appends the code provided by the prover at the end of their password when authenticating.

       This implementation complies with RFC 4226 HOTP HMAC-Based One Time Passwords and  RFC  6238  TOTP  Time-
       based One Time Passwords and includes support for the SHA-1, SHA-256, and SHA-512 HMAC algorithms.

       The  HMAC  key  used  in the OTP computation is stored in the oathOTPToken entry referenced in the user's
       LDAP entry and the parameters are stored in the oathOTPParams LDAP entry referenced in the token.


CONFIGURATION
       Once the module is configured on the database, it will intercept LDAP simple binds for users  whose  LDAP
       entry has any of the oathOTPUser derived objectlasses attached to it. The attributes linking the user and
       the shared secret are:

              oathTOTPToken: <dn>
                     Mandatory  for oathTOTPUser, indicates that the named entry is designated to hold the time-
                     based one-time password shared secret and the last password used.

              oathHOTPToken: <dn>
                     Mandatory for oathHOTPUser, indicates that the named entry is designated to hold  the  one-
                     time password shared secret and the last password used.

              oathTOTPParams: <dn>
                     Mandatory  for  oathTOTPToken,  indicates  that  the  named entry is designated to hold the
                     parameters to generate time-based one-time password shared secret: its length and algorithm
                     to use as well as the length of each time step and the grace period.

              oathHOTPParams: <dn>
                     Mandatory for oathHOTPToken, indicates that the named  entry  is  designated  to  hold  the
                     parameters  to generate one-time password shared secret: its length and algorithm to use as
                     well as the permitted number of passwords to skip.

       The following parts of the OATH-LDAP schema are implemented.

       General attributes:

              oathSecret: <data>
                     The shared secret is stored here as raw bytes.

              oathOTPLength: <length>
                     The password length, usually 6.

              oathHMACAlgorithm: <OID>
                     The OID of the hash algorithm to use as defined in RFC 8018.  Supported algorithms  include
                     SHA1, SHA224, SHA256, SHA384 and SHA512.

       The HOTP attributes:

              oathHOTPLookAhead: <number>
                     The number of successive HOTP tokens that can be skipped.

              oathHOTPCounter: <number>
                     The order of the last HOTP token successfully redeemed by the user.

       The TOTP attributes:

              oathTOTPTimeStepPeriod: <seconds>
                     The length of the time-step period for TOTP calculation.

              oathTOTPLastTimeStep: <number>
                     The order of the last TOTP token successfully redeemed by the user.

              oathTOTPTimeStepWindow: <number>
                     The  number  of  time  periods  around  the  current time to try when checking the password
                     provided by the user.

              oathTOTPTimeStepDrift: <number>
                     If the client didn't provide the correct token but it still fit with oathTOTPTimeStepWindow
                     above, this attribute records the current offset to provide for slow  clock  drift  of  the
                     client device.


SEE ALSO
       slapd-config(5).


ACKNOWLEDGEMENT
       This  work  was  developed by Ondřej Kuzník and Howard Chu of Symas Corporation for inclusion in OpenLDAP
       Software.

       This work reuses the OATH-LDAP schema developed by Michael Ströder.

SLAPO-OTP                                           2018/6/29                                       SLAPO_OTP(5)