Skip to content
/ yubisaslauthd Public
forked from meddius/yubisaslauthd

Yubikey/LDAP two-factor auth saslauthd replacement

License

View license
0 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

hellyhe/yubisaslauthd

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
yubico
yubico
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README
README
 
 
validate.py
validate.py
 
 
yubi.schema
yubi.schema
 
 
yubisaslauthd.py
yubisaslauthd.py
 
 

Repository files navigation

DESCRIPTION

yubisaslauthd is a replacement for saslauthd for the single purpose of
providing two-factor Yubikey-based authentication with LDAP.

BEHAVIOR

The username is the DN of the user to validate. The password is the user's
password concatenated with a Yubikey OTP. Realm and service are ignored.
yubisaslauthd validates the OTP against the Yubikey API, verifies that the
Yubikey ID is associated with the given user, and verifies the password. The
Yubikey ID to user mappings and the password hashes are stored in LDAP.
Password hashes use crypt(3).

For use with LDAP, each user's userPassword attribute should be set to
{SASL}<dn>, where <dn> is the full DN of the user. The user's actual password
should be stored in crypt(3) form in a separate attribute, specified as
LDAP_PASSWD_ATTR.

CONFIGURATION

Items you may want to configure:

Socket path: SOCK_PATH in yubisaslauthd.py. Defaults to /var/run/saslauthd/mux,
  the standard saslauthd path on Debian/Ubuntu.
Number of preforked workers: NUM_WORKERS in yubisaslauthd.py. Defaults to 5;
  may need increasing if you have a slow LDAP server, slow Yubikey API, and/or
  a high volume of auth requests.
API Client ID: CLIENT_ID in validate.py.
API Client Key: CLIENT_KEY in validate.py. Set these to the ID and key for API
  access.
LDAP Yubikey attribute: LDAP_YUBI_ATTR in validate.py. This is the user
  attribute that contains the user's Yubikey ID.
LDAP password attribute: LDAP_PASSWD_ATTR in validate.py. This is the user
  attribute that contains the user's hashed password.
LDAP bind credentials: By default, yubisaslauthd connects using a unix socket
  (ldapi:///) and uses EXTERNAL authentication. If you need a different method,
  modify the ldap_connect method in validate.py.
Yubikey API URL: API_URLS in yubico/yubico.py.
Yubikey API trusted CAs: CA_CERTS in yubico/httplib_ssl.py.

OTHER

yubi.schema includes a sample LDAP objectClass 'yubikeyOwner' that defines the
'yubikeyID' and 'passwordFactor' attributes that are used by default.

The Yubikey API library is taken from python-yubico-client, at
<https://github.com/Kami/python-yubico-client>.

About

Yubikey/LDAP two-factor auth saslauthd replacement

Resources

Readme

License

View license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%