Quick Start: Integrating HOTP (OTP - One Time Password) with eDirectory 8.8 SP8

  • 7016550
  • 02-Jun-2015
  • 05-Jun-2015


NetIQ eDirectory 8.8 SP8
NetIQ Modular Authentication Service (NMAS)
HOTP Method


Securing information with static passwords has always been less than ideal.  Users will traditionally create weak passwords and only change them when required to do so.  If a company's password policies are seen as too onerous the passwords will often be written down.  Further, since passwords are often cached by applications they can potentially reside on local drives or stored on servers.  This is particularly troublesome for laptops which can be easily stolen.


Enter the one time use password (OTP).  Unlike a static password a one-time password changes each time a user logs in and can be configured to only be valid for a short period of time (usually 30-60 seconds).  They can either replace or be appended to an existing password infrastructure.
The passwords can be generated one of two ways
  1. Time-synchronized: the user must enter an OTP value within a certain amount of time or it will be expired and replaced by another.  The downside is the potential for clock skew.  If the client device and server's time is off by much the expected OTP value will not be generated. 
  2. Counter-synchronized: a counter is synchronized between the client device\app and the server.  The counter advances each time a OTP value is requested.
Both approaches require either a small hardware device or an application on the user side that is synchronized to the server in order to display the OTP value that will be used in the password.  Since everything is built to conform with the RFC 4226 standard both hardware tokens and software from 3rd party vendors and open community sources should work as expected.

Additional Information

For this excercise we will use the counter-based approach.  A shared secret will be created that is shared between the client and the server.  This Quick Start will be using a simple client program to generate the OTP value.  In a production environment a tamper-resistent hardware or software based solution would be a more secure OTP solution.  
eDirectory 8.8 SP8 already contains an OTP server.  The following are the basic steps required to integrate OTP with NMAS:
- Setup a NMAS password policy and configure the NMAS service to be first used for password authentication.
- Setup and run the nmashotpconf utility to set the secret and Hotp enable a user.
- Run the oath toolkit at the client to display the OTP values based on the shared secret.
- Login to eDirectory with the NMAS password + OTP value using both NCP based (ndslogin) and LDAP clients.

Quick Start
 1. Confirm, at a minimim, that a basic password policy has been defined, assigned to a test user and that user has logged in.  This ensures that the Universal Password (UP) attributes have already been added to the user object.  It is also suggested to synchronize the UP to the ndspassword in the policy. Also, as is always the case, verify that all participant servers and clients are in time sync.
2. Obtain the nmashotpconf utility.  (Verify that the server's LDAPS certificate has been exported to the file system as a der file.)
A. Download the nmas3333-client.tgz file from https://download.novell.com/Download?buildid=BfnNcVX8U_I~
B. Extract the main tarball: "tar -zxvf nmas3333-client.tgz"
C. Navigate to the 3333 directory and unzip the nmashotpconf.zip file: "unzip nmashotpconf.zip"
D. Navigate to the linux_x64/final directory from which the nmashotpconf utility can be found.
3. Hotp enable a user
All the required Hotp attributes will be enabled at the user level.  In order for the user to be enabled the following must be defined:
- Enable Hotp at the user\container\partition root or LPO object for tree-wide enablement.  (sasOTPEnabled)
- Set the Hotp secret and counter on the user.  Together these determine the Hotp value.  (SAS:Login Secret\SAS:Login Secret Key & sasOTPCounter )
- Set the number of digits for the values.  This can be set on the user\container\partition root or LPO object level.  (sasOTPDigits)
- Set the resynchronization window.  This is required for those times when the client and server are not totally in synchronization.  The server remembers the last value for the prior counter.  This value determines how many counters back the server will try.  Less is more secure but equals more calls to the help desk.  It is set either tree-wide (LPO object) or on the user.  (sasOTPReSync)
For this excercise a user object with the DN of testuser3.emg will enabled via the following commands using the nmashotpconf utility:
A. Set the secret on the user object
"./nmashotpconf -h -p 636 -D cn=admin,o=emg -w novell -e /var/opt/novell/eDirectory/data/SSCert.der -t DER -u cn=testuser3,o=emg -c 7 -s 5354555657585951515153545556575859515152 -f RAW"
B. Enable Hotp
"./nmashotpconf -h -p 636 -D cn=admin,o=emg -w novell -e /var/opt/novell/eDirectory/data/SSCert.der -t DER -u cn=testuser3,o=emg -o ENABLE"
C. Set the number of digits for the Hotp value (6-9).  In the below example it is set to 6.
"./nmashotpconf -h -p 636 -D cn=admin,o=emg -w novell -e /var/opt/novell/eDirectory/data/SSCert.der -t DER -u cn=testuser3,o=emg -d 6"
D. Set the user synchronization window.  This will look up to 5 counters ahead of the current one to find a match.
"./nmashotpconf -h -p 636 -D cn=admin,o=emg -w novell -e /var/opt/novell/eDirectory/data/SSCert.der -t DER -u cn=testuser3,o=emg -y 5" 
4. Obtain and install the Oath Toolkit for the client.  There are many flavors available.  For this excercise the following was used:
A. Download and extract the source files.
B. Navigate to the oath-toolkit-2.6.0 directory.
C. Compile and install it: "./configure && make && make install"
 5. Run the oathtool against the user's secret to obtain the OTP value.
A. Determine what the users counter is set to:
"ldapsearch -H ldap:// -D "cn=admin,o=emg" -w novell -b "cn=testuser3,o=emg" -s base -LLL sasOTPCounter"
The following is returned:
dn: cn=testuser3,o=emg
sasOTPCounter: 7
B. Generate the OTP using the current counter position (7) to give the exact position directly:
"/usr/local/bin/oathtool -c 7 5354555657585951515153545556575859515152"
It returns 782375.
Note: if an error is returned while loading the shared libraries perform the following to setup the library path:
6. Login into the directory using the user's password + the current Hotp value (= secret + counter).
A. Via NCP: "ndslogin testuser3.emg -p novell782375"
B. Via LDAP.  The previous password cannot be used again.  The user's counter is now at 8.  Therefore run the following commands:
"/usr/local/bin/oathtool -c 8 5354555657585951515153545556575859515152"  833463 is returned.
"ldapsearch -H ldap:// -D "cn=testuser3,o=emg" -w novell833463 -b "cn=testuser3,o=emg" -s base -LLL sasOTPCounter
Note: to get a list of the counter values starting at counter 0 through counter 10
"/usr/local/bin/oathtool -w 10 5354555657585951515153545556575859515152"
914881  Counter 0
687306  Counter 1
573250  Counter 2
891405  Counter 3
067473  Counter 4
140430  Counter 5
233329  Counter 6
782375  Counter 7
833463  Counter 8
184550  Counter 9
125841  Counter 10
Additional Notes:
1. This method is not currently supported with iManager because it is a one-time use password.  iManager caches the logged in user's password.  When iManager tries to reuse the password it will fail on the second and subsequent attempts.
2. Once a user has been Hotp enabled that user MUST use their password + OTP.  Just entering the password will no longer authenticate the user to eDirectory.  Removing the Hotp attributes from the user object will re-enable password only logins.
3. Synchronization Window
This value determines how many counters past the current one that will be analysed for authentication. 
Example: The below OTP counter values are displayed after running the command in step 6.  Any OTP value past the current counter (Counter 0) would be accepted provided the synchronization window allowed it. 
914881  Counter 0
687306  Counter 1
573250  Counter 2
891405  Counter 3
067473  Counter 4
140430  Counter 5
233329  Counter 6
782375  Counter 7
833463  Counter 8
184550  Counter 9
125841  Counter 10
Therefore, if the user is at a current counter of C0 and configured with a sync window of 5 we would allow any Hotp value from counters 0-5.