An API server for performing TOTP (for example, Google Authenticator) one-time-password authentication, with secrets stored in an LDAP backend.
This service is intended to be served by a frontend web server that is performing TLS client certificate authorization, such as NGINX. As such, there is no access control or authorization on this service's API.
Currently the service can be used by any HTTP-enabled client that needs to perform TOTP+LDAP based authentication. The current API format is parseable by pam_url for use in PAM authentication.
This project was conceived to fill a need that totp-cgi did not solve: namely, the provisioning and storage of TOTP secrets, scratch codes, and potential state in an LDAP backend.
- TOTP+LDAP password authentication.
- LDAP-based secret storage with STARTTLS support.
- Generation, provisioning, and deprovisioning of TOTP secrets in the backing store.
- One-time-use scratch code support.
- Easy to deploy - a single JAR.
- Additional secret storage backends.
- State information: rate limiting, code re-use prevention.
- Java 8: Installation instructions will differ based on your platform. General Download Link
- LDAP: OpenLDAP is the only tested implementation currently. The provided cn=config schema needs to be added.
See the included sample configuration.
The configuration is provided by Typesafe Config, so see their documentation for information on things such as includes and environment variable support.
- Clone this repo.
- Run
sbt -Dconfig.file=<path/to/config> runto run locally. - Run
sbt assemblyto build a single JAR file in thetarget/scala-2.11directory. - Run the jar using
java -Dconfig.file=<path/to/config> -jar <path/to/>totp-api-assembly-0.1.0-SNAPSHOT.jar
This project is licensed under the Apache License.