From 9047aaf86c660bd330d9998af629b0f8a2f26cc4 Mon Sep 17 00:00:00 2001 From: Mark Reynolds Date: Fri, 1 Mar 2024 16:42:07 -0500 Subject: [PATCH] Add MFA operation note design doc --- docs/389ds/design/design.md | 4 ++ .../389ds/design/mfa-operation-note-design.md | 54 +++++++++++++++++++ .../389ds/design/security-audit-log-design.md | 2 +- 3 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 docs/389ds/design/mfa-operation-note-design.md diff --git a/docs/389ds/design/design.md b/docs/389ds/design/design.md index abb0aaeb..bfd21c4a 100644 --- a/docs/389ds/design/design.md +++ b/docs/389ds/design/design.md @@ -35,6 +35,10 @@ If you are adding a new design document, use the [template](design-template.html - [Ansible DS](ansible-ds.html) +## 389 Directory Server 3.0 + +- [MFA Operation Note For Auditing](mfa-operation-note-design.html) + ## 389 Directory Server 2.3 - Rust by default in 2.3 diff --git a/docs/389ds/design/mfa-operation-note-design.md b/docs/389ds/design/mfa-operation-note-design.md new file mode 100644 index 00000000..4759df4b --- /dev/null +++ b/docs/389ds/design/mfa-operation-note-design.md @@ -0,0 +1,54 @@ +--- +title: "MFA Operation Note For Auditing" +--- + +# MFA Operation Note For Auditing +---------------- + +Overview +-------- + +Create a new **notes** for the access log to indicate if a bind was part of a MFA plugin(e.g. OTP plugin). This does require the plugin itself setting this flag as there is no way to detect this in DS. + +Use Cases +--------- + +Have a way to audit more information about the bind operation. Currently it's import to log/audit as much about an authentication event as possible. + +Design +------ + +In the **access log** there will be a new "**notes=**" value: **M** + + notes=M details="Multi-factor Authentication" + +Example: + +``` +[01/Mar/2024:16:14:09.226235417 -0500] conn=1 op=0 BIND dn="uid=frank,ou=people,dc=example,dc=com" method=128 version=3 +[01/Mar/2024:16:14:09.232745250 -0500] conn=1 op=0 RESULT err=0 tag=97 nentries=0 wtime=0.000111632 optime=0.006612223 etime=0.006722325 notes=M details="Multi-factor Authentication" dn="uid=frank,ou=people,dc=example,dc=com" +``` + +In the **security log**, there is a new value for the bind method "**SIMPLE/MFA**". Note - in the JSON log the forward slash of this value is escaped + +``` +{ "date": "[01\/Mar\/2024:16:14:09.232748932 -0500] ", "utc_time": "1709327649.232748932", "event": "BIND_SUCCESS", "dn": "uid=frank,ou=people,dc=example,dc=com", "bind_method": "SIMPLE\/MFA", "root_dn": false, "client_ip": "::1", "server_ip": "::1", "ldap_version": 3, "conn_id": 1, "op_id": 0, "msg": "" } +``` + +Major configuration options and enablement +------------------------------------------ + +Only the pre-bind authentication plugin can set this flag using the Slapi API: + + slapi_pblock_set_flag_operation_notes(pb, SLAPI_OP_NOTE_MFA_AUTH); + + +Origin +------------- + + + +Author +------ + + diff --git a/docs/389ds/design/security-audit-log-design.md b/docs/389ds/design/security-audit-log-design.md index ce3b542c..1ce90554 100644 --- a/docs/389ds/design/security-audit-log-design.md +++ b/docs/389ds/design/security-audit-log-design.md @@ -78,7 +78,7 @@ Authentication.Authorization conn_id: '', op_id: '', dn: '', - bind_method: 'SIMPLE, SASL/GSSAPI, SASL/DIGEST-MD5, SSLCLIENTAUTH', + bind_method: 'SIMPLE, SIMPLE/MFA, SASL/GSSAPI, SASL/DIGEST-MD5, SSLCLIENTAUTH', root_dn: true/false, msg: 'INVALID_PASSWORD, NO_SUCH_ENTRY, ACCOUNT_LOCKED, CERT_MAP_FAILED' }