privacyIDEA 2.18.1 on RHEL7 / CentOS7

As of today privacyIDEA 2.18.1 is available for RHEL7 and CentOS7 via our package repository. Packaging privacyIDEA for CentOS 7 is a special service for our Enterprise Customers, to ease updates and bug fixes.

Existing customers can easily update to version 2.18.1. We introduced the changelog or privacyIDEA 2.18.1 earlier.

Update to privacyIDEA 2.18.1

It might be that you need to clear or recreate the Yum Cache, if yum does not find the latest version:

yum makecache

Then you can run the update:

yum update

After the update please assure, that MySQL/MariaDB and httpd are restarted:

service mariadb restart
service httpd restart
,

privacyIDEA 2.18 – authentication and trust

Today privacyIDEA 2.18 was released. Packages are available in the launchpad respository for Ubuntu 14.04LTS and 16.04LTS. Using the Python package index privacyIDEA can be installed on any distribution.

privacyIDEA manages certificate authorities

The flexible Open Source multi-factor-authentication system privacyIDEA comes with new featues in regards to certificate authorities. In addition to OTP tokens, smartphones, email- and SMS-token, Yubikeys and Nitrokeys privacyIDEA has improved the managing capabilites of certificate tokens. The administrator can use a setup wizard to setup a local CA more easily. If a certificate token is revoked, the CRL will be created automatically. Using certificate templates it is easier for administrators and users to enroll the type of certificate which suites the best.

You can get more information from the privacyIDEA blog.

 

Further Enhancements

privacyIDEA 2.18 comes with a lot of further enhancements which will ease the work with your privacyIDEA installation. You should definitively take a look at the complete Changelog.

If your users are located in an LDAP directory you should check the settings of your LDAP resolver. The new version of privacyIDEA relies on a new version of the Python ldap3 module and the privacyIDEA can easily check the validity of the LDAP server certificate thus mitigating the risk of man-in-the-middle attacks.

Enterprise Edition

NetKnights provides consulting and support with the privacyIDEA Enterprise Edition. Using Open Source you optimize your total cost of ownership this way, that there are no external limitations which dictate how long or short your may use the software. Getting the privacyIDEA Enterprise Edition including an SLA you get the warranty and thus operating safety.

, , ,

Two factor authentication everywhere with privacyIDEA LDAP-Proxy

In order to secure the login process with two factor authentication in an application there are different approaches.

Two-Factor-Authentication via standard protocols and plugins

With privacyIDEA we used standard protocols like RADIUS and SAML. If the application that you need to protect can facilitate RADIUS or SAML, the validate of the second factor can be performed by the privacyIDEA RADIUS Server or by privacyIDEA acting as a SAML Identity Provider. In this case you only need to change the configuration of the application, but you do not need to change the application.

Other applications provide an authentication framework, where the authentication can be extended using plugins. For such scenarios many different plugins are available to connect the application to the privacyIDEA Authentication Server. As of know a long list of plugins is already available for applications like TPYO3, ownCloud, NextCloud, WordPress, dokuwiki, django, OTRS, Apache, NGINX, PAM/OpenVPN and also for authenticating at the Windows Desktop.

But some applications do not support RADIUS or SAML and also do not provide an authentication framework to add 2FA via a plugin. Sometimes simply time is short, to develop a plugin in the corresponding programming language.

privacyIDEA LDAP-Proxy

To also provide strong authentication also for those applications and authenticate the users with two factors against privacyIDEA, we develop the privacyIDEA LDAP-Proxy.

The privacyIDEA LDAP-Proxy can be used, if the application authenticates the users against an LDAP server like OpenLDAP or Microsoft Active Directory. The privacyIDEA LDAP-Proxy is plugged between the application and the originial LDAP server. The application is reconfigured, to not use the LDAP server for authentication anymore, but to authenticate users against the LDAP-Proxy. Now, the privacyIDEA LDAP-Proxy can authenticate the users and verify the the authentication against the privacyIDEA Server and use the original LDAP server to only fetch user data.

The two factor authentication is totally transparent for the user and for the application.

The advantage of the IT department is obvious: The originial LDAP server is not touched or modified. The program code of the application is not modified or exteneded. The application is only reconfigured within the limits of the intended possibilities and supported scenarios. To the application the LDAP-Proxy looks like a normal LDAP server. Thus you will not loose any warranty and support by the vendor of the application.

In contrast to two factor solutions, which are solely based on OpenLDAP, the privacyIDEA LDAP-Proxy has one big advantage. It will work with any kind of originial LDAP server, be it OpenLDAP, Microsoft Active Directory or Samba.

Example Scenario

In our example scenario we look at the login at SuiteCRM. SuiteCRM is an Open Source Customer Relation Management solution. There are no two factor plugins for SuiteCRM. But SuiteCRM authenticates it’s users against LDAP. So we will configure SuiteCRM to authenticate the users against the privacyIDEA LDAP-Proxy to add transparent two factor authentication to SuiteCRM.

We could also look at any other application, which authenticates users against an LDAP server. But SuiteCRM suites us well. We install SuiteCRM on the Univention Corporate Server. The installation of the application works like a charm, SuiteCRM is nicely configured against the Univention Corporate Server Domain Controller – the original LDAP server. This is just to have the test scenario up and runing in a few minutes.

We can install the privacyIDEA Authentication Server on any Linux distribution or we can also install the privacyIDEA Server on the Univention Corporate Server. privacyIDEA is also contained in the Univention App Center and can be installed on the UCS within a few minutes. Then privacyIDEA is setup against the users in the Univention LDAP server automatically and the administrator only needs to enroll or assign tokens like Yubikeys, OTP tokens or smartphone apps to the users.

SuiteCRM will be configured this way, that it does not connect to the UCS LDAP server but to the privacyIDEA LDAP-Proxy.

If needed several of the components can be installed on one single system.

Integration

LDAP-Proxy installieren und konfigurieren

The privacyIDEA LDAP-Proxy is currently available via Github in a beta version. It is developed based on Python and Twisted. Thus there are many different ways for the deployment. All necessary configurations are done in configuration file once.

The administrator needs to tell, were the original (UCS) LDAP server and the privacyIDEA instance are located. In the SuiteCRM setup an additional LDAP service account is needed, which the administrator also adds to the configuration file.

For more detailed information see the file README.md.

To start the LDAP proxy run

twistd -n ldap-proxy -c config.ini

In a productive environment you would start the LDAP proxy automatically as a service via systemd. The configuration file config.ini can be stored at the location of your choice. The file example-proxy.ini contains a lot of comments, which explain all possible configuration settings.

The configuration file

The administrator needs to adapt the following configuration settings:

The parameter instance in the section privacyidea determines, where the LDAP proxy can contact the privacyIDEA Authentication Server.

The administrator needs to define the connection to the original LDAP server in the section ldap-backend including IP address or FQDN and the protocal being LDAP, LDAPS or LDAP+STARTTLS

The parameter endpoint in the ldap-proxy section also contains the information on which port the original LDAP server is listening.

Finally the administrator needs to configure the LDAP attribute which contains the loginname. This can be done using the paramter attribute in the sections user-mapping.

The service account allows common LDAP searches

Simple applications, which only verify the user with a user bind do not need any additional settings. However, SuiteCRM uses an additional service account for common LDAP searches. The administrator needs to add this service account in the section ldap-proxy with the parameter passthrough-binds and in the section service-account.

Configure SuiteCRM

In SuiteCRM the administrator only needs to reconfigure the LDAP server. Go to the Admin-Menu which can be reached in the upper right corner.

Choose Password Managemant.

Here you can configure the LDAP server. Enter the FQDN or IP address of the new LDAP proxy.

Done.

Conclusion

The SuiteCRM user is now authenticated via the LDAP proxy against privacyIDEA. The complete password entry is sent to privacyIDEA for validation. The user has to enter his static (probably LDAP password) and the OTP value. Thus you can also do smooth migrations since this looks the same to the user.

Which device (2nd factor) the user has to use for authentication is completely centrally defined by privacyIDEA. The administrator can also assign different device types to the users. Some users can authenticate with Yubikeys, others with OTP tokens or OTP cards, some with a smartphone app like the Google Authenticator and some users may get their login code via SMS or Email.

We will continue developing the LDAP-Proxy and we are looking forward to any feedback. If you want to stay updated watch the Github repository or subscribe to our newsletter.

 

, ,

privacyIDEA 2.17 on Univention Coporate Server

As of now privacyIDEA 2.17 is available on the Univention Coporate Server. We already wrote about the new features in privacyIDEA 2.17. Customers who rely on the Univention Corporate Server can now update to version 2.17 easily out of the Univention App Center.

privacyIDEA Enterprise Edition Subscription

privcayIDEA 4 UCS has the same feature set as the native privacyIDEA. NetKnights provides the usual Enterprise Subscription Levels but also simple Update-Subscriptions.

, ,

privacyIDEA 2.17 – Improve Event Handling. Flexible triggering of SMS

privacyIDEA was released in version 2.17.

As always NetKnights provides consultancy and service level agreements for the privacyIDEA Enterprise Edition.

For more details on version 2.17 see the privacyIDEA blog.

,

NetKnights is sponsor at Chemnitzer Linux days 2017

Chemnitzer Linux-Tage Logo

In 2017 NetKnights again will be sponsor of the Chemnitzer Linuxtage.  We are happy and grateful that so many people organize very interesting open source events on a voluntary basis!

The Chemnitzer Linuxtage take place on March 11th and 12th, 2017 in Chemnitz.

We will present news about privacyIDEA. We applied with two talks about “two factor authentication with ownCloud” and “Experiences, tips and tricks with a rollout of 35,000 users”. In the past Cornelius Kölbel already held several talks at the Chemnitzer Linuxtage.

We are looking forward to your visit in Chemnitz.

,

privacyIDEA 2.16 available on the Univention Corporate Server

privacyIDEA 2.16.1 is available on the Univention Corporate Server. Now customers with a UCS subscription can also update to version 2.16 and use the improve Event Handler and Web UI. In privacyIDEA4UCS we released a patch level 2.16.1, which – in comparison to 2.16 – also comes with a few LDAP improvements concerning redundancy and timeouts.

Different versions of subscription

There are two versions of subscription. The privacyIDEA Enterprise Edition also allows to run privacyIDEA on the Univention Corporate Server with an unlimited number of users. The second version is the privacyIDEA4UCS Update Subscription, which allows the user to receive updates of privacyIDEA on the UCS. The privacyIDEA4UCS Update Subscription is only recommended for up to 50 users.

,

ownCloud Two Factor Authentication

ownCloud and privacyIDEA

privacyIDEA-800pxWith ownCloud 9.1 a new authentication framework for two factor authentication provider was introduced.

We implemented the privacyIDEA ownCloud App which connects ownCloud with privacyIDEA. This way you are able to use many different kinds of authentication devices like smartphones, key fob tokens, Smartdisplayer cards, Yubikeys for your users to authenticate at ownCloud. In addition users can use the very same centrally managed token to authenticate at other services like your VPN, Windows Desktop or SSH.

Security-Key-by-Yubico-in-USB-Port-on-Keychain

Use any authentication device with ownCloud.

This is a big improvement for your enterprise environment in contrast to only managing second factors within ownCloud.

ownCloud developers have done a great job on providing this 2FA API. Nevertheless while implementing the first external provider (the privacyIDEA ownCloud App) we realized some shortcomings of the API.

Working togeather with ownCloud to improve the Two Factor integration

I was able to work closely togeather with the ownCloud security specialist and the developers to discuss ideas and a strategy for improvements. Thanks a lot for this open mind and the time! We all (ownCloud and NetKnights) are eager to further improve the security and possible integration scenarios of ownCloud.

More information to the user

One idea was to improve the communication with an authentication backend like privacyIDEA. The current implementation only allowed to show “Authentication failed!” in case of an error. But using an external authentication system it sometimes can proove useful to display more information to the user, since authenticating with two factors is a more complex and error prone process. Also on the user side. Furthermore, displaying more information can be necessary when it comes to scenarios like challenge response.

Anyway, this resulted in an improvement of the 2FA API and a pull request to the ownCloud github repository which is planned to be contained in the next ownCloud release 9.2. This way the privacyIDEA ownCloud App can display additional information like “privacyIDEA Server down”, “Internal privacyIDEA Error”, “Wrong OTP value”… Thus the user could fix his problem (by using the correct token or flipping the token upside down…) instead of calling the helpdesk and causing additional costs.

Emails and SMS

Another topic, that was discussed, is the support for external challenge response like SMS, Email or TiQR tokens. While this is still work in progress the discussion showed, that great and sensible solutions and integrations can be achieved when combining ownCloud with privacyIDEA.

Go Secure

Secure your own data, your ownCloud with 2nd factor authentication under your control!

Get the privacyIDEA ownCloud App.

, ,

privacyIDEA 2.16 – secure your data – flexible events

On November 10th privacyIDEA 2.16 was released.

New Main Features

privacyIDEA 2.16 comes with three new main features: Improved event handling, subscription management and improved hardware security module support. The hardware security module component was contributed by our partner AxiadIDS.

You can read more about the details in 2.16 on the project page.

Enterprise Edition

NetKnights provides consulting and support for privacyIDEA with the privacyIDEA Enterprise Edition. This way you can protect your invest and get the liability of a professional SLA.