worteks
/
lemonldap-ng
mirror of https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
3
0
Fork 0
Code Issues Projects Releases Wiki Activity
LemonLDAP::NG Web SSO
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
11340 Commits
107 Branches
123 Tags
109 MiB
 
 
 
 
 
Tag: Branch: Tree: aea7bdebe8
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'aea7bdebe8'
${ noResults }
lemonldap-ng/doc/sources/admin/totp2f.rst

108 lines
3.3 KiB
Raw Blame History

TOTP 2nd Factor Authentication
==============================
`Time based One Time
Password <https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm>`__
(TOTP) is an algorithm that computes a one-time password from a shared
secret key and the current time. This is currently use by `Google
Authenticator <https://en.wikipedia.org/wiki/Google_Authenticator>`__ or
`FreeOTP <https://freeotp.github.io/>`__.
LLNG can propose users to register this kind of software to increase
authentication level.
.. tip::
Note that it's a second factor, not an authentication module.
Users are authenticated both by login form and TOTP.
Prerequisites and dependencies
------------------------------
This feature uses libconvert-base32-perl. Before enable it, on Debian
you must install libconvert-base32-perl by :
::
apt update
apt install libconvert-base32-perl
apt install libdigest-hmac-perl
Or from CPAN repository :
::
cpanm Convert::Base32
Configuration
-------------
In the manager (advanced parameters), you just have to enable it:
- **Activation**: set it to "on"
- **Self registration**: set it to "on" if users are authorized to
generate themselves a TOTP secret
- **Authentication level**: you can overwrite here auth level for TOTP
registered users. Leave it blank keeps auth level provided by first
authentication module *(default: 2 for user/password based modules)*.
**It is recommended to set an higher value here if you want to give
access to some apps only to users enrolled**
- **Issuer**: default to portal hostname
- **Interval**: interval for TOTP algorithm (default: 30)
- **Range**: number of additional intervals to test (default: 1)
- **Digits**: number of digit by codes (default: 6)
- **Allow users to remove TOTP**: If enabled, users can unregister
TOTP.
- **Lifetime**: Unlimited by default. Set a Time To Live in seconds.
TTL is checked at each login process if set. If TTL is expired,
relative TOTP is removed.
- **Logo** (Optional): logo file *(in static/<skin> directory)*
- **Label** (Optional): label that should be displayed to the user on
the choice screen
.. attention::
If you want to use a custom rule for "activation" and
want to keep self-registration, you must include this in your rule that
``$_2fDevices =~ /"type":\s*"TOTP"/s`` is set, else TOTP will be
required even if users are not registered. This is automatically done
when "activation" is simply set to "on".
.. danger::
Range is tested backward and forward to prevent
positive or negative clock drift.
Enrollment
----------
If you've enabled self registration, users can register their keys by
using https://portal/2fregisters
Assistance
----------
If a user loses its key, you can remove it from manager Second Factor
module.// // To enable manager Second Factor Administration Module, set
``enabledModules`` key in your ``lemonldap-ng.ini`` file :// //
.. code-block:: ini
[portal]
enabledModules = conf, sessions, notifications, 2ndFA
Developer corner
----------------
If you have another TOTP registration interface, you have to set these
keys in Second Factor Devices array (JSON) in your user-database. Then
map it to the \_2fDevices attribute (see
:doc:`exported variables<exportedvars>`):
.. code::
[{"name" : "MyTOTP" , "type" : "TOTP" , "_secret" : "########" , "epoch":"1524078936"}, ...]