64 lines
2.5 KiB
Diff
64 lines
2.5 KiB
Diff
From a319811747b44dc9b06294df0270b17dbd2b2026 Mon Sep 17 00:00:00 2001
|
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Date: Sat, 2 Mar 2024 09:31:46 +0200
|
|
Subject: [PATCH] ipa-pwd-extop: add MFA note in case of a successful LDAP bind
|
|
with OTP
|
|
|
|
In case there is a successful OTP authentication attempt, register it as
|
|
an operation note on the BIND operation in LDAP. 389-ds then will print
|
|
a multi-factor authentication note in both access and security logs
|
|
according to https://www.port389.org/docs/389ds/design/mfa-operation-note-design.html
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/5169
|
|
|
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
---
|
|
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 10 ++++++++++
|
|
server.m4 | 8 ++++++++
|
|
2 files changed, 18 insertions(+)
|
|
|
|
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
|
index 69023515018d522651bccb984ddd8e9174c22f59..43a7f54778382edd66da8f18c20de443ed98ab3d 100644
|
|
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
|
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
|
@@ -1551,6 +1551,16 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
|
|
/* Attempt to write out kerberos keys for the user. */
|
|
ipapwd_write_krb_keys(pb, discard_const(dn), entry, credentials);
|
|
|
|
+#ifdef USE_OP_NOTE_MFA_AUTH
|
|
+ /* If it was a successful authentication with OTP required, mark it
|
|
+ * for access log to notice multi-factor authentication has happened
|
|
+ * https://www.port389.org/docs/389ds/design/mfa-operation-note-design.html
|
|
+ */
|
|
+ if (!syncreq && otpreq) {
|
|
+ slapi_pblock_set_flag_operation_notes(pb, SLAPI_OP_NOTE_MFA_AUTH);
|
|
+ }
|
|
+#endif
|
|
+
|
|
slapi_entry_free(entry);
|
|
slapi_sdn_free(&sdn);
|
|
return 0;
|
|
diff --git a/server.m4 b/server.m4
|
|
index f97ceddea0388067f4353fd9a03a5e5d27b1672b..4918edc762ef9987625a10348bd4bad59ed9beb3 100644
|
|
--- a/server.m4
|
|
+++ b/server.m4
|
|
@@ -31,6 +31,14 @@ PKG_CHECK_MODULES([DIRSRV], [dirsrv >= 1.3.0])
|
|
# slapi-plugin.h includes nspr.h
|
|
DIRSRV_CFLAGS="$DIRSRV_CFLAGS $NSPR_CFLAGS"
|
|
|
|
+bck_cflags="$CFLAGS"
|
|
+CFLAGS="$CFLAGS $DIRSRV_CFLAGS"
|
|
+AC_CHECK_DECL([SLAPI_OP_NOTE_MFA_AUTH], [
|
|
+ AC_DEFINE(USE_OP_NOTE_MFA_AUTH,1,
|
|
+ [Use LDAP operation note for multi-factor LDAP BIND])],
|
|
+ [], [[#include <dirsrv/slapi-plugin.h>]])
|
|
+CFLAGS="$bck_cflags"
|
|
+
|
|
dnl -- sss_idmap is needed by the extdom exop --
|
|
PKG_CHECK_MODULES([SSSIDMAP], [sss_idmap])
|
|
PKG_CHECK_MODULES([SSSNSSIDMAP], [sss_nss_idmap >= 1.15.2])
|
|
--
|
|
2.44.0
|
|
|