authentik
authentik copied to clipboard
goauthentik
PAM_SSSD + LDAP: how to add OTP- Token?
Describe your question Using pam + SSSD and LDAP for logging into our desktops (which works), i would like to have the OTP- Token of authentik added to the Password as written on https://goauthentik.io/docs/providers/ldap/#bind-modes at Authenticator validation.
Additionally i am searching for a way to have some user-bound SECRET Key, that will be available only when the user is authenticated (it should not be the password, as this will change from time to time). I thought of LDAP- Attributes, but as i did understand, Attributes are read from SSSDServiceAccount- and accessable with the general token for all Clients/Users.
Relevant infos In the Docs, i am not able to understand how to add the OTP- Token to the Password (chain?) The Secret key can be chosen by user or admin or any other solutions that may work are fine.
Version and Deployment (please complete the following information):
- Authentik Docker-Compose actually 2023.08 - soon 2023.10
Hi @PentaPaetzold, I think i found it :D -> in the Provider settings, there is the Code-based MFA Support When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon.
For me this works fine. You need to "password;Token" for the login.
Due to the way SSSD works, this isn't really possible. SSSD binds itself to the LDAP provider with a service accounts, but users logging into the system are not authenticated by LDAP bind, hence their MFA cannot be checked. This might be possible with https://linux.die.net/man/5/pam_ldap however I have not tried that. If you do set pam_ldap up, please feel free to open a PR to add documentation for it.
