authentik icon indicating copy to clipboard operation
authentik copied to clipboard
verified publisher icon goauthentik

Enforce MFA for LDAP Provider

Open Cyberunner23 opened this issue 2 years ago • 5 comments

Describe your question/ I have a setup where users have TOTP MFA setup. I also have a LDAP Provider that I use for Portainer and SSH (through sssd). I was wondering if there is a way so that the TOTP token is required for someone to login through LDAP. At the moment, the TOTP token is optional when doing it through an LDAP application.

Relevant infos

  • Followed this tutorial, except the Provider is set to Direct Binding, Direct Caching and Code Based MFA Support is enabled
  • All users must setup TOTP
  • The LDAP Outpost is deployed manually to set the LDAP Port to a non standard value

Logs

{"bindDN":"cn=user,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"<redacted IP>","event":"User has access","level":"info","requestId":"58efbaf1-8dce-4f4b-88f2-de2d5279116d","timestamp":"2023-07-18T14:10:37Z"}
{"bindDN":"cn=user,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"<redacted IP>","event":"Bind request","level":"info","requestId":"58efbaf1-8dce-4f4b-88f2-de2d5279116d","timestamp":"2023-07-18T14:10:37Z","took-ms":597}
{"attributes":[],"baseDN":"cn=user,ou=users,dc=ldap,dc=goauthentik,dc=io","bindDN":"cn=ldap_readonly,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"<redacted IP>","event":"Search request","filter":"(&(cn=user)(objectclass=user)(memberOf=cn=group,ou=groups,dc=ldap,dc=goauthentik,dc=io))","level":"info","requestId":"b3213862-743a-458e-ab1e-5330d16fc986","scope":"Base Object","timestamp":"2023-07-18T14:10:38Z","took-ms":57}
{"attributes":[],"baseDN":"cn=user,ou=users,dc=ldap,dc=goauthentik,dc=io","bindDN":"cn=ldap_readonly,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"<redacted IP>","event":"Search request","filter":"(&(cn=user)(objectclass=user)(memberOf=cn=group,ou=groups,dc=ldap,dc=goauthentik,dc=io))","level":"info","requestId":"89052a41-d8e1-4276-af51-d6ddf5773a50","scope":"Base Object","timestamp":"2023-07-18T14:10:38Z","took-ms":37}

Version and Deployment:

  • authentik version: 2023.6.1
  • Deployment: Portainer

Cyberunner23 avatar Jul 18 '23 14:07 Cyberunner23

See documentation MFA/TOTP for ldap is supported. https://goauthentik.io/docs/providers/ldap/#bind-modes

pbvdven avatar Jul 18 '23 15:07 pbvdven

The documentation mentions that For code-based authenticators, the code must be given as part of the bind password, separated by a semicolon. However the behaviour I'm observing is that its optional.

Cyberunner23 avatar Jul 18 '23 15:07 Cyberunner23

That tutorial was made before the TOTP support was added IIRC, and as such it's not adding an authenticator validation stage to the flow in between the identification and login stage, and as such that configuration doesn't check the TOTP code

BeryJu avatar Jul 19 '23 09:07 BeryJu

We provide an example flow that checks MFA here: docs.goauthentik.io/docs/flow/examples/flows#two-factor-login

rissson avatar Mar 15 '24 16:03 rissson

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

authentik-automation[bot] avatar Sep 10 '24 01:09 authentik-automation[bot]