Secure passwordless logins with FIDO2 and LDAP
Access Granted
Recently, FIDO2 and the passwordless authentication that goes with it have been in focus. As long as you base your login on a flexible database system, you can simply add the required fields for one or more public keys. To store the required information in Lightweight Directory Access Protocol (LDAP), as well, you need to extend the schema and define your own object and attribute types.
FIDO2 is a milestone of passwordless authentication. When logging in, the user's browser receives a challenge and has to sign it with the user's private key so that the service provider can validate the signature against the stored public keys. If validation is successful, the login is considered complete.
One advantage of public key procedures such as FIDO2 is that service providers and users no longer have to share a secret, including secrets that are used for two-factor authentication. Therefore, these secrets can no longer be lost on either side. In case of an attack, all the attacker gets is a user's public key, and as the name suggests, this key can be widely known. Logging in to the service itself or to other services in which the user has deposited the same key remains impossible. To make sure a user is not left without access if a private key is lost, most FIDO2 implementations allow the direct storage of several public keys or different security tokens.
Extending the LDAP Schema
The LDAP schemas normally available (e.g., from the OpenLDAP distribution) do not provide the objects needed to store the information required for FIDO2 authentication directly within the directory. Like other database systems, LDAP lets you extend the set of storable objects by adding an appropriate schema. Once you have successfully loaded a schema, you can create the objects to match directly afterward. To prevent confusion, each schema is assigned an individual identification number. Globally unique object
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Secure authentication with FIDO2
The FIDO and FIDO2 standard supports passwordless authentication. We discuss the requirements for the use of FIDO2 and show a sample implementation for a web service. -
Multifactor authentication from FIDO
The FIDO Alliance is working to build open solutions for the future of authentication. -
Single sign-on with Keycloak
Google and Facebook are two of the biggest providers for single sign-on on the web, with OAuth2 and OpenID, but if you don't want to put your customers' or employees' data in their hands, Red Hat's Keycloak software lets you run your own operations with the option of integrating existing Kerberos or LDAP accounts. -
LDAP integration with popular groupware suites
Your LDAP directory holds user data for the whole network. Why not save time and avoid duplication by integrating the LDAP directory with your groupware environment? -
OpenLDAP Workshop
Centralized user management with LDAP or Active Directory is the standard today, although many prefer to manage user data manually rather than build this kind of infrastructure. In this article, we look at a better approach with OpenLDAP.
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
