3.6 Configuring Multi-Factor Authentication for LDAP Proxy

LDAP Proxy 1.6 and above support multi-factor authentication via NetIQ Advanced Authentication Framework. By default, LDAP Proxy 1.6 supports single-factor authentication. If you want to use the multi-factor authentication for your Proxy servers, you must configure it before using. The following multi-factor authentication chains are supported with LDAP Proxy:

  • LDAP Password + TOTP (Time Based One Time Password)

  • Advanced Authentication Password (AA Password) + TOTP

  • TOTP + Smartphone

  • LDAP Password + Smartphone

  • AA Password + Smartphone

NOTE:By default, the chains containing Smartphone authentication method will not be available for LDAP Proxy users. You must obtain valid license from Advanced Authentication to use this method.

Prerequisites

To configure multi-factor authentication for your Proxy server, you must have the following prerequisites:

  • MFABroker: The MFABroker service is used to communicate with the Advanced Authentication server for attaining multi-factor authentication. By default, the LDAP Proxy installation procedure will lay down the MFABroker service.

  • Administrative access to the Advanced Authentication Admin panel. For more information about the Configuration Settings, see Configuring Advanced Authentication in the Advanced Authentication - Administration.

Configuration Procedure

  1. The LDAP Proxy server and the MFA Broker service authenticate to each other using their respective certificates. In order to achieve this, you will need three SSL certificates in PKCS#12 format issued by the eDirectory CA.

    1. Create a certificate for the LDAP Proxy server. For example, we’ve created proxycert.pfx. This certificate should contain the following configurations:

      1. Subject Alternative Name: Specify the IP address of the LDAP Proxy server.

      2. Extended Key Usage: TLS Web Client Authentication.

    2. Create a certificate for the MFABroker service. For example, we’ve created mfabrokercert.pfx. This certificate should contain the following configurations:

      1. Subject Alternative Name: Specify the IP address of the MFABroker server.

      2. Extended Key Usage: TLS Web Server Authentication.

    3. Create a certificate for the Advanced Authentication server. For example, we’ve created aacert.pfx. This certificate should contain the following configurations:

      1. Subject Alternative Name: Under Certificate Parameters specify the IP address of the Advanced Authentication server.

      2. Extended Key Usage: TLS Web Server Authentication.

      NOTE:

      • If you want to create certificates in Identity Console with above configuration, go to Identity Console > Certificate Management > Server Certificate Management and create custom certificates with the following options:

        • Click icon to create a server certificate and provide the Nickname for the server certificate to be created.

        • Select Custom (User specifies parameters) and click Next.

        • Select Organizational Certificate Authority option and click Next.

        • Select Subject Alternative Name as mentioned in 1a, 1b and 1c.

        • Select User as Extended key type while creating the certificate for TLS Web Client Authentication.

        • Select Server as Extended key type while creating the certificate for TLS Web Server Authentication.

      • Once the certificates are created, select the required certificate from the list. Then export it in .pfx format clicking icon in Identity Console. To protect the private key after exporting, specify the valid password.

  2. Convert the .pfx certificates (obtained in steps 1a and 1b) to .pem format using the nlpcert utility. Copy both the certificates to the server where MFABroker and LDAP Proxy services are running and run the following commands:

    /opt/novell/ldapproxy/bin/nlpcert -i /root/proxycert.pfx -p novell -o proxycert.pem
    /opt/novell/ldapproxy/bin/nlpcert -i /root/mfabrokercert.pfx -p novell -o mfabrokercert.pem

    In the above commands, proxycert.pfx, and mfabrokercert.pfx are the SSL certificates generated for the LDAP Proxy and MFABroker servers respectively.

  3. Copy the following certificates to their respective directories:

    1. Copy both the .pem certificates (generated in step 2) to /etc/opt/novell/ldapproxy/conf/ssl/private directory.

    2. Copy the CA certificate (SSCert.pem) to /etc/opt/novell/ldapproxy/conf/ssl/trustedcert directory.

    3. Copy the CA certificate for the Advanced Authentication server to /etc/opt/novell/ldapproxy/conf/ssl/trustedcert directory.

    4. Upload the aacert.pfx to the Advanced Authentication server. Login to the AA admin panel > Server Options > Upload new SSL certificate. For more information, see Uploading the SSL Certificate in the Advanced Authentication - Administration Guide.

  4. Configure the MFABroker service.

    1. A sample MFABroker configuration file (mfabrokerconf.yml.sample) will be provided in the /etc/opt/novell/ldapproxy/conf directory. Rename the sample file to mfabrokerconf.yml.

    2. Run the binary /opt/novell/ldapproxy/sbin/generateSecretHash to generate the endpointSecretHash using endpoint ID, secret and a salt string. Configure the following parameters in the mfabrokerconf.yml file:

      1. port: Specify 48028 as port where MFABroker will listen for incoming requests from LDAP Proxy.

      2. serverHost: Specify the IP address of the server where Advanced Authentication is running.

      3. endpointID: Specify the Endpoint ID which was generated while creating the endpoints in the Advanced Authentication Admin panel.

      4. logonEvent: Specify the event name which was created in the Advanced Authentication server.

      5. ldapRepo: Specify the map of the key and value pair of the LDAP repositories created on the Advanced Authentication server. It consists of the container name and the repo name.

      6. SkipMFA: List of DNs for which multi-factor authentication is supposed to be skipped. This feature can be used for service accounts as well.

      7. trustedCertDir: Specify the absolute path of the directory where the CA certificates are stored.

      8. PrivateCertDir: Specify the absolute path of the directory where the server and client certificates are stored.

      9. mfabrokerCertFile: Specify the name of the MFABroker certificate in .pem format generated in step 2.

      10. proxyCertFingerprint: Specify the SHA-256 fingerprint of the LDAP Proxy certificate. Run the following openssl command to generate the SHA-256 fingerprint.

        openssl x509 -in proxycert.pem -noout -fingerprint -sha256

        A sample MFABroker configuration has been shown below. The configuration parameters, sample values and examples mentioned here are for reference purposes only. You should modify them as required to suit your environment:

        mfabroker:
  port: 48028

aa:
  serverHost: xx.xx.xx.xx
  endpointID: 178fa64ebafe11eaa1fb0242ac110003
  logonEvent: LDAPProxy
  ldapRepo:   {
    "o=org_novell"      : LDAP_REPO_1,
    "o=org_microfocus"  : LDAP_REPO_2
  }
  skipMFA:    [
    'cn=user1,o=novell',
    'cn=user2,ou=security,o=novell'
  ]

ssl:
  trustedCertDir: "/etc/opt/novell/ldapproxy/conf/ssl/trustedcert"
  privateCertDir: "/etc/opt/novell/ldapproxy/conf/ssl/private"
  mfabrokerCertFile: "mfabroker.pem"
  proxyCertFingerprint: "46:A8:A5:DB:F8:72:29:BD:35:29:16:D3:DC:D2:F9:C7:09:F3:C3:97:B1:C5:D9:1A:6B:8A:83:11:6E:03:10:26"

    3. Rename the mfabrokerLogConf.json.sample file to mfabrokerLogConf.json in the /etc/opt/novell/ldapproxy/conf directory.

  5. Configure LDAP Proxy.

    For the LDAP Proxy to start using the MFABroker service, add the following before the <list-listener> node in the nlpconf.xml file.

    <proxy-mfa-config tls-enabled="true">
        <certificate-file-name>proxycert.pem</certificate-file-name>
</proxy-mfa-config>

    In the above example, proxycert.pem is the SSL certificate for LDAP Proxy generated in step 2.

  6. Run the following command to enable multi-factor authentication for the LDAP Proxy server:

    /opt/novell/ldapproxy/bin/nlpdconfig

  7. Start LDAP Proxy by running the following command:

    systemctl start nlpd

  8. (Optional) If you want to switch back to the single-factor authentication mode, remove the <proxy-mfa-config> node from the nlpconf.xml file and run the following command:

    /opt/novell/ldapproxy/bin/nlpdconfig

    However, we do not recommend switching back to the single-factor authentication mode.

IMPORTANT:Those users who are only enrolled for the single-factor authentication, might receive an error message saying user not registered for any chain. This happens when the user has access the to AA Self Service Portal. In such scenario, the user must login to the Self Service Portal and remove themselves by using the Delete Me option.