I am really very pleased to be writing this article as I’ve been wanting to see this functionality ever since I first started getting into FreeIPA and using Yubikeys.
If you are are Yubikey user/admin, chances are you are a little, if not very, frustrated that there is no simple way to centrally manage your users and key tokens.
The way most One Time Password(OTP) solutions work is based on a central server which maps a token to a user. Yubico however, use a local text file on each individual system, which map a username to a specific key token. This is a very clunky method, especially if you are managing very large numbers of servers.
Well, with a bit of work, and with huge thanks to Michal Ludvig, we now have a way of integrating Yubikey’s directly into an LDAP based directory server.
I came across his article on a Google+ post detailing how he has provided a way for this to become reality. I am still unbelievably impressed.
You can read his original article here. http://www.logix.cz/michal/devel/yubikey-ldap/
I have absolutely no intention of trying to steal any thunder away from what Michal has done here. It is truly fantastic.
In this article, I am simply providing a very quick and easy way of storing Yubikey token ID’s inside of FreeIPA 3.0 on Red Hat Enterprise Linux 6.4 (Beta)
I would also like to thank Gavin Spurgeon for his help in clarifying the inner workings of how the integration happens, specifically with FreeIPA as it was not as straight forward as I anticipated.
Unfortunately, 389ds doesn’t appear to allow too much movement in adding objectIdentifiers to the schema. This I am not 100% sure of why this is, but basically we (Gavin Spurgeon and I), were unable to import exactly what Michael has produced in his how to guide. This is a shame as his method is very neat and clean.
Environment details
In my lab environment, I have used the below details.
Server Operating System: Red Hat Enterprise Linux 6.4 Beta FreeIPA Version: 3.0 FreeIPA Domain Name: example.com FreeIPA Server Hostname: ds01.example.com FreeIPA Server IP: 10.0.4.11 Client Operating Systems: Red Hat Enterprise Linux 6.3 and Fedora 18
Please note, I have used RHEL 6.4 Beta for this article simply because FreeIPA 3.0 will be released when 6.4 goes GA.
Please also be aware that this article will also work perfectly on FreeIPA 2.2 as well as 3.0. The procedure below remains the same.
FreeIPA Setup
Follow the below steps to add the necessary functionality into FreeIPA.
Step 1. Adding Schema definition
On your FreeIPA server, create the file “/etc/dirsrv/slapd-EXAMPLE-COM/schema/80yubikey.ldif”
Please keep in mind, that this file path relies on your FreeIPA domain being called “example.com”. Please remember to reference your own domain name here.
[root@ds01 ~]# vi /etc/dirsrv/slapd-EXAMPLE-COM/schema/80yubikey.ldif # dn: cn=schema # attributeTypes: ( 1.3.6.1.4.1.40789.2012.11.1.2.1 NAME 'yubiKeyId' DESC 'Yubico YubiKey ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{1 objectClasses: ( 1.3.6.1.4.1.40789.2012.11.1.2.2 NAME 'yubiKeyUser' DESC 'Yubico YubiKey User' SUP top AUXILIARY MAY ( yubiKeyId ) ) [root@ds01 ~]#
Step 2. Correct file permissions
Once you save your file, correct the file permissions and restore the SELinux contexts.
[root@ds01 ~]# chown dirsrv:dirsrv /etc/dirsrv/slapd-EXAMPLE-COM/schema/80yubikey.ldif [root@ds01 ~]# chmod 440 /etc/dirsrv/slapd-EXAMPLE-COM/schema/80yubikey.ldif [root@ds01 ~]# restorecon /etc/dirsrv/slapd-EXAMPLE-COM/schema/80yubikey.ldif
Step 3. Restart Directory Instance
Next, you will need to restart your directory server instance.
As we are using FreeIPA, you can either restart the “ipa” service, or the “dirsrv” service. Both will achieve the same goal here. I have opted for just restarting “dirsrv”.
[root@ds01 ~]# service dirsrv restart Shutting down dirsrv: PKI-IPA... [ OK ] EXAMPLE-COM... [ OK ] Starting dirsrv: PKI-IPA... [ OK ] EXAMPLE-COM... [ OK ] [root@ds01 ~]#
That is all the changes that need to be made to the FreeIPA server. If you have multiple servers in your FreeIPA domain, perhaps being replicated, I would recommend creating the 99yubikey.ldif file on each of your directory servers.