We are at Tübix 2017 and doing a workshop about adding a 2nd Factor to your applications.
If you can not attend or if you want to try this at home afterwards, here is what we will do!
10.0.2.201 ucs.tuebix.intranet (LDAP) Univention Corporate Server 4.2
10.0.2.202 privacyidea.tuebix.intranet, Ubuntu 16.04 LTS
10.0.2.203 wordpress.tuebix.intranet, Ubuntu 16.04 LTS with latest wordpress
10.0.2.204 owncloud.tuebix.intranet, Ubuntu 16.04 LTS with ownCloud 10
The UCS has the following users:
ownCloud is connected via LDAP, so the LDAP users can connect to ownCloud.
The ownCloud Administrator is called: admin
WordPress only has internal users. Nevertheless the user are also called:
What we will do – our Agenda
- We will install privacyIDEA and connect privacyIDEA to the UCS, so that privacyIDEA knows the users from the LDAP directory
- Then we will enroll different kind of tokens to the users.
- The administrator can enroll a token for the users but
- users can also login to the webui with their LDAP password an enroll a token for themselves.
- Then we start connecting applications to privacyIDEA to add 2FA to the applications
- WordPress with “strong authentication” plugin
- ownCloud with the “privacyIDEA ownCloud App” from the market place
- SSH login with 2FA for users user1, user2, user3
privacyIDEA can be installed in many different ways on different Linux distributions. We will install privacyIDEA on our Ubuntu 16.04 machine 10.0.2.202.
add-apt-repository ppa:privacyidea/privacyidea apt update apt install privacyidea-apache2
privacyidea-apache2 is a meta package which will install MySQL, Apache and set up privacyIDEA. Finally we only need to create the first token administrator.
pi-manage add admin super
Now we have an administrator called “super”
privacyIDEA can be configured via command line, API or the web UI.
We need to configure the Resolver tuebix_users as Active Directory. For this we need to fetch the certificate of the UCS server.
- LDAP Resolver to ldaps://ucs.tuebix.intranet
- Base DN cn=users,dc=tuebix,dc=intranet
- Bind DN cn=administrator,cn=users,dc=tuebix,dc=intranet
- Preset AD
And a Realm tuebix with the resolver tuebix_users.
We can also take a look at the policies and configure a policy to use otppin=userstore.
Enroll tokens as administrator and as normal user…
- Enroll Smartphone App
- U2F Token
- Feitian C200 (import File Feitian.csv)
ownCloud with 2FA
For ownCloud X we login as administrator and install the “privacyIDEA ownCloud App” from the Marketplace.
We need to configure the App against privacyIDEA:
- no realm
- no ssl check
Note: The privacyIDEA ownCloud App will authenticate all users with a 2nd factor!
After this, users need to present a 2nd factor against privacyIDEA when they log in.
WordPress with 2FA
Install the “strong authentication” plugin.
We need to configure the Plugin against privacyIDEA:
Note: Users need to enter both factors in the password field at the same time.
The WordPress plugin authenticates users only against privacyIDEA; while with ownCloud users are authenticated by ownCloud and by privacyIDEA.
SSH with 2FA
On either owncloud machine or wordpress machine we install the privacyIDEA PAM module:
add-apt-repository ppa:privacyidea/privacyidea apt update apt install privacyidea-pam
…and configure it accordingly against https://privacyidea.tuebix.intranet.
Note: Users need to match!
privacyIDEA LDAP Proxy