Solved: Re: How to enable MFA with LDAP?

aiannotti · 01-02-2023 07:33 AM

Is it possible to require a user's MFA with Secure LDAP?

Looking to integrate OpenLDAP community edition, and we have user/pass working, but would like to add MFA.

cryptochrome

Got it, thanks. I don't think Google's MFA/2FA applies to LDAP authentication requests. If you have 2FA enforced already, and still can log on through LDAP, that would confirm this.

The reason being, most likely, that many LDAP clients wouldn't know how to pass through the MFA portion and initiate the bind immediately - or simply time out while waiting for users to confirm their second factor. Plain vanilla LDAP has no concept of 2FA.

You will probably have to plug a third-party MFA solution into your OpenVPN server. Another option could be using an external IdP such as Okta, which has some options when using MFA with LDAP (see here: https://help.okta.com/en-us/Content/Topics/Directory/LDAP-interface-MFA.htm).

View solution in original post

cryptochrome

What is your exact use case and deployment scenario?

aiannotti

Currently using OpenVPN server with ldap plugin to access Google's Secure LDAP service.

Username/password auth is working, but we would also like to prompt for 2FA, which is enforced in the Google Workspace for the Active Employees OU.

Use case is access to production networks in AWS that are otherwise not accessible.

cryptochrome

Got it, thanks. I don't think Google's MFA/2FA applies to LDAP authentication requests. If you have 2FA enforced already, and still can log on through LDAP, that would confirm this.

The reason being, most likely, that many LDAP clients wouldn't know how to pass through the MFA portion and initiate the bind immediately - or simply time out while waiting for users to confirm their second factor. Plain vanilla LDAP has no concept of 2FA.

You will probably have to plug a third-party MFA solution into your OpenVPN server. Another option could be using an external IdP such as Okta, which has some options when using MFA with LDAP (see here: https://help.okta.com/en-us/Content/Topics/Directory/LDAP-interface-MFA.htm).

aiannotti

Thank you very much. It certainly appears to be the case that Secure LDAP does not engage 2FA, which is indeed enforced in the OUs that are currently being used, and I do take your point about all the clients needing to also support this.

Spoke with Okta a bit last year, but was still hoping to find a way within Google itself.

Appreciated!

cryptochrome

The path of least resistance is probably plugging something like PrivacyID3A open OTP server into OpenVPN. Implementation seems painless (documented here). It can poll Google's LDAP as well.

Your auth-flow would then looks something like this:

User > OpenVPN > RADIUS to PrivacyID3A OTP > Google LDAP

Your users will then have MFA everywhere, including VPN. And no hassles with moving your entire directory to a third-party IdP like Okta. Only drawback would that your users will get two different 2FA experiences, but that's better than not having MFA at all.

aiannotti

Thanks, am looking at a couple of separate MFA solutions, and that's a new one to me. It looks good, especially with the Google LDAP integration.

Once again, greatly appreciated!