This is a feature request to allow openvpn-auth-ldap to be compatible with one-time-passwords. I had been looking for this for a while and then saw the issue mentioned for another OpenVPN plugin, openvpn-otp. The issue is described here.
What I (and several other people who contacted me in the meantime) were looking for was a way to do LDAP authentication and add an additional layer of protection on top of that with OTP, using openvpn-otp.
As it happens, OpenVPN has a feature to do this which is called the “Challenge/Response Protocol” described here (scroll down to the bottom of the page to find the relevant section). This protocol seperates the password authentication from the OTP part.
There are three side to this:
OpenVPN:
The feature needs to be activated in the client configuration file with the static-challenge flag.
From the OpenVPN manual:
static-challenge t e : Enable static challenge/response protocol using challenge text t, with echo flag given by e (0|1).
The echo flag indicates whether or not the user's response to the challenge should be echoed.
The users:
If the static-challenge flag is set, the OpenVPN GUI prompts users for a username, password and a one time token in a separate field.
Plug-ins:
If the static-challenge flag is set, passwords that are passed to plugins, will have a special format: something like CRV1::XYDFGER::123456 (for the dynamic protocol) or like CRV1:XYFDFGER:123456 (for the static protocol). In both cases XYDFGER is the password and 123456 is the response (this is where the otp would arrive).
So, if this feature is activated, plugins need to parse the password string to extract that the part that is of interest to them and perform the usual processing with that part only.
To have authentication plug-ins support this, they require a small change to inform them that that they need to parse the password string and only look at the part that is relevant for them. This is a simple boolean flag, which it is set to true, triggers the parsing and extraction of the relevant bits.
I have already issued a pull request for openvpn-otp to do this and I am planning to do the same with openvpn-auth-ldap.
Hi,
This is a feature request to allow openvpn-auth-ldap to be compatible with one-time-passwords. I had been looking for this for a while and then saw the issue mentioned for another OpenVPN plugin, openvpn-otp. The issue is described here.
What I (and several other people who contacted me in the meantime) were looking for was a way to do LDAP authentication and add an additional layer of protection on top of that with OTP, using openvpn-otp.
As it happens, OpenVPN has a feature to do this which is called the “Challenge/Response Protocol” described here (scroll down to the bottom of the page to find the relevant section). This protocol seperates the password authentication from the OTP part.
There are three side to this:
static-challengeflag. From the OpenVPN manual:static-challenge t e: Enable static challenge/response protocol using challenge text t, with echo flag given by e (0|1). The echo flag indicates whether or not the user's response to the challenge should be echoed.static-challengeflag is set, the OpenVPN GUI prompts users for a username, password and a one time token in a separate field.static-challengeflag is set, passwords that are passed to plugins, will have a special format: something like CRV1::XYDFGER::123456 (for the dynamic protocol) or like CRV1:XYFDFGER:123456 (for the static protocol). In both cases XYDFGER is the password and 123456 is the response (this is where the otp would arrive). So, if this feature is activated, plugins need to parse the password string to extract that the part that is of interest to them and perform the usual processing with that part only.To have authentication plug-ins support this, they require a small change to inform them that that they need to parse the password string and only look at the part that is relevant for them. This is a simple boolean flag, which it is set to true, triggers the parsing and extraction of the relevant bits.
I have already issued a pull request for openvpn-otp to do this and I am planning to do the same with openvpn-auth-ldap.