authentik
authentik copied to clipboard
goauthentik
LDAP Provider with TOTP
Is your feature request related to a problem? Please describe.
Some services are not supporting SAML, OAuth2, .. and only work with LDAP. However, MFA is currently not supported with LDAP Provider.
Describe the solution you'd like
Documentation says:
The only limitation is that currently only identification and password stages are supported, due to how LDAP works.
As a first implementation, it would be great to support TOTP : https://github.com/openldap/openldap/blob/master/contrib/slapd-modules/passwd/totp/slapo-totp.5
What about asking user to set password + TOTP in the password field ? (Facebook used this solution few years ago with macOS integration.). It seems there is a password scheme for this solution: {TOTP1ANDPW}, {TOTP256ANDPW}, or {TOTP512ANDPW}
Another solution could be a one time password for LDAP Provider when user has MFA and so regular password must be denied.
Describe alternatives you've considered
No solution I'm aware of.
Additional context Add any other context or screenshots about the feature request here.
I've been meaning to add support for this using some sort of separate like | or ;, have not gotten around to it yet since I want to do some general cleanup in the authenticator validation stage before I add this.
Hello, this would be the feature I was searching for - if for example a 6-digit length of the TOTP is set - the password part would be thereafter ... similar like PrivacyIDEA
https://privacyidea.readthedocs.io/en/latest/webui/token_details.html?highlight=pin#set-pin https://privacyidea.readthedocs.io/en/latest/_images/token-detail.png
thx
Alternatively, it would be nice if the MFA stage can be skipped in the LDAP authentication flow. Is this possible?
I setup LDAP Provider and enabled TOTP but cannot connect like you said (PASSWORD;123456). Without TOTP configured it works. What do I need to check ?
For more infos : https://discord.com/channels/809154715984199690/1072864483325792327/1072864483325792327
