Skip to content

Commit

Permalink
Add MFA operation note design doc
Browse files Browse the repository at this point in the history
  • Loading branch information
@mreynolds389
mreynolds389 committed Mar 1, 2024
1 parent 7bb501e commit 9047aaf
Show file tree
Hide file tree
Showing 3 changed files with 59 additions and 1 deletion.
4 changes: 4 additions & 0 deletions docs/389ds/design/design.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,10 @@ If you are adding a new design document, use the [template](design-template.html

- [Ansible DS](ansible-ds.html)

## 389 Directory Server 3.0

- [MFA Operation Note For Auditing](mfa-operation-note-design.html)

## 389 Directory Server 2.3

- Rust by default in 2.3
Expand Down
54 changes: 54 additions & 0 deletions docs/389ds/design/mfa-operation-note-design.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
---
title: "MFA Operation Note For Auditing"
---

# MFA Operation Note For Auditing
----------------

Overview
--------

Create a new **notes** for the access log to indicate if a bind was part of a MFA plugin(e.g. OTP plugin). This does require the plugin itself setting this flag as there is no way to detect this in DS.

Use Cases
---------

Have a way to audit more information about the bind operation. Currently it's import to log/audit as much about an authentication event as possible.

Design
------

In the **access log** there will be a new "**notes=**" value: **M**

notes=M details="Multi-factor Authentication"

Example:

```
[01/Mar/2024:16:14:09.226235417 -0500] conn=1 op=0 BIND dn="uid=frank,ou=people,dc=example,dc=com" method=128 version=3
[01/Mar/2024:16:14:09.232745250 -0500] conn=1 op=0 RESULT err=0 tag=97 nentries=0 wtime=0.000111632 optime=0.006612223 etime=0.006722325 notes=M details="Multi-factor Authentication" dn="uid=frank,ou=people,dc=example,dc=com"
```

In the **security log**, there is a new value for the bind method "**SIMPLE/MFA**". Note - in the JSON log the forward slash of this value is escaped

```
{ "date": "[01\/Mar\/2024:16:14:09.232748932 -0500] ", "utc_time": "1709327649.232748932", "event": "BIND_SUCCESS", "dn": "uid=frank,ou=people,dc=example,dc=com", "bind_method": "SIMPLE\/MFA", "root_dn": false, "client_ip": "::1", "server_ip": "::1", "ldap_version": 3, "conn_id": 1, "op_id": 0, "msg": "" }
```

Major configuration options and enablement
------------------------------------------

Only the pre-bind authentication plugin can set this flag using the Slapi API:

slapi_pblock_set_flag_operation_notes(pb, SLAPI_OP_NOTE_MFA_AUTH);


Origin
-------------

<https://github.com/389ds/389-ds-base/issues/6112>

Author
------

<[email protected]>
2 changes: 1 addition & 1 deletion docs/389ds/design/security-audit-log-design.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ Authentication.Authorization
conn_id: '',
op_id: '',
dn: '',
bind_method: 'SIMPLE, SASL/GSSAPI, SASL/DIGEST-MD5, SSLCLIENTAUTH',
bind_method: 'SIMPLE, SIMPLE/MFA, SASL/GSSAPI, SASL/DIGEST-MD5, SSLCLIENTAUTH',
root_dn: true/false,
msg: 'INVALID_PASSWORD, NO_SUCH_ENTRY, ACCOUNT_LOCKED, CERT_MAP_FAILED'
}
Expand Down

0 comments on commit 9047aaf

Please sign in to comment.