Provides support for authenticating with Yubikey One-Time Passwords over Simple BIND Requests.
To enable this extension, you must first enable the Yubikey SASL Mechanism
dsconfig set-sasl-mechanism-handler-prop
--handler-name UNBOUNDID-YUBIKEY-OTP
--set yubikey-client-id:12345
--set yubikey-api-key:CHANGEME
--set enabled:true
Once this pre-requisite is met, you can enable the plugin with:
dsconfig create-plugin
--plugin-name yubi-on-simple-bind
--type third-party
--set enabled:false
--set plugin-type:preparsebind
--set invoke-for-internal-operations:false
--set extension-class:com.pingidentity.ds.plugin.YubiOnSimpleBind
--set extension-argument:client-id=12345
--set extension-argument:client-secret=CHANGEME
You may register a key with the register-yubikey-otp-device, like:
register-yubikey-otp-device --authenticationID u:user.0 --userPassword password --otp SOMEOTPHERE
Finally you can try out that authentication now requires yubikey otp for users with registered devices:
bin/ldapsearch
-D uid=user.0,ou=People,dc=example,dc=com
-w passwordSOMEOTPHERE
-b uid=user.0,ou=People,dc=example,dc=com
-s base
'(&)'
NOTE: On PingDirectoryProxy, it is necessary to specify the public-id-attribute argument for which the user has read rights in the back-end server.
Allowed Arguments
| Argument Name: | client-id |
| Description: | The YubiCo client ID |
| Data Type: | Integer |
| Is Required: | true |
| Maximum Occurrences: | 1 |
| Argument Name: | client-secret |
| Description: | The secret key for the client |
| Data Type: | String |
| Is Required: | true |
| Maximum Occurrences: | 1 |
| Argument Name: | public-id-attribute |
| Description: | The name of the attribute to |
| Data Type: | String |
| Is Required: | false |
| Maximum Occurrences: | 1 |