Also available in other languages: Русский
MultiFactor Ldap Adapter is a LDAP proxy server for Linux. It allows you to quickly add multifactor authentication to your applications with LDAP authentication.
The component is a part of MultiFactor 2FA hybrid solution. It is available with the source code and distributed for free.
Windows version of the component is available in MultiFactor.Ldap.Adapter repository.
See knowledge base for additional guidance on integrating 2FA through LDAP into your infrastructure.
- Overview
- Prerequisites
- Installation
- Configuration
- Start-Up
- Logs
- Certificate for TLS encryption
- Uninstallation
- License
Key functionality:
- Proxying network traffic through LDAP protocol;
- Searching for authentication requests and confirming access on the user's phone with the second factor.
Key features:
- LDAP and LDAPS (encrypted TLS channel) support;
- Interception of authentication requests that use Simple, Digital, NTLM mechanisms;
- Bypassing requests from service accounts (Bind DN) without the second factor;
- Logging to Syslog server or SIEM system.
Use LDAP Adapter Component to implement the following scenarios:
- Add a second authentication factor to applications connected to Active Directory or other LDAP directories;
- Enable traffic encryption for applications that do not support encrypted TLS connection.
- Component is installed on a Linux server, tested on CentOS, Ubuntu, Debian;
- Minimum server requirements: 1 CPU, 2 GB RAM, 8 GB HDD (to run the OS and adapter for 100 simultaneous connections — approximately 1500 users);
- TCP ports 389 (LDAP) and 636 (LDAPS) must be open on the server to receive requests from clients;
- The server with the component installed needs access to
api.multifactor.ruvia TCP port 443 (TLS) directly or via HTTP proxy; - To interact with Active Directory, the component needs access to the domain server via TCP port 389 (LDAP) or 636 (LDAPS);
The component uses the ASP.NET Core runtime environment version 3.1, which is free, open-source, developed by Microsoft and the open-source community. The runtime environment does not impose any restrictions on its use.
To install, run the commands:
$ sudo rpm -Uvh https://packages.microsoft.com/config/centos/7/packages-microsoft-prod.rpm
$ sudo yum install aspnetcore-runtime-3.1https://docs.microsoft.com/ru-ru/dotnet/core/install/linux-centos
$ sudo dnf install aspnetcore-runtime-3.1https://docs.microsoft.com/ru-ru/dotnet/core/install/linux-centos
$ wget https://packages.microsoft.com/config/ubuntu/18.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
$ sudo dpkg -i packages-microsoft-prod.deb
$ sudo apt-get update; \
sudo apt-get install -y apt-transport-https && \
sudo apt-get update && \
sudo apt-get install -y aspnetcore-runtime-3.1https://docs.microsoft.com/ru-ru/dotnet/core/install/linux-ubuntu
$ wget https://packages.microsoft.com/config/debian/10/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
$ sudo dpkg -i packages-microsoft-prod.deb
$ sudo apt-get update; \
sudo apt-get install -y apt-transport-https && \
sudo apt-get update && \
sudo apt-get install -y aspnetcore-runtime-3.1https://docs.microsoft.com/ru-ru/dotnet/core/install/linux-debian
Create a folder, download and unzip the current version of the component from GitHub:
$ sudo mkdir /opt/multifactor /opt/multifactor/ldap /opt/multifactor/ldap/tls /opt/multifactor/ldap/logs
$ sudo wget https://github.com/MultifactorLab/multifactor-ldap-adapter/releases/latest/download/release_linux_x64.zip
$ sudo unzip release_linux_x64.zip -d /opt/multifactor/ldapCreate a system user mfa and give it rights to the application:
$ sudo useradd -r mfa
$ sudo chown -R mfa: /opt/multifactor/ldap/
$ sudo chmod -R 700 /opt/multifactor/ldap/Create a service
$ sudo vi /etc/systemd/system/multifactor-ldap.service[Unit]
Description=Multifactor Ldap Adapter
[Service]
WorkingDirectory=/opt/multifactor/ldap/
ExecStart=/usr/bin/dotnet /opt/multifactor/ldap/multifactor-ldap-adapter.dll
Restart=always
# Restart service after 10 seconds if the service crashes:
RestartSec=10
KillSignal=SIGINT
SyslogIdentifier=multifactor-ldap
User=mfa
Environment=ASPNETCORE_ENVIRONMENT=Production
Environment=DOTNET_PRINT_TELEMETRY_MESSAGE=false
# How many seconds to wait for the app to shut down after it receives the initial interrupt signal.
# If the app doesn't shut down in this period, SIGKILL is issued to terminate the app.
# The default timeout for most distributions is 90 seconds.
TimeoutStopSec=30
# give the executed process the CAP_NET_BIND_SERVICE capability. This capability allows the process to bind to well known ports.
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.targetEnable autorun:
$ sudo systemctl enable multifactor-ldapThe component's parameters are stored in /opt/multifactor/ldap/multifactor-ldap-adapter.dll.config in XML format.
<!-- The address and port (TCP) on which the adapter will listen to LDAP requests -->
<!-- If you specify 0.0.0.0, then the adapter will listen on all network interfaces -->
<add key="adapter-ldap-endpoint" value="0.0.0.0:389"/>
<!-- The address and port (TCP) on which the adapter will listen for LDAPS encrypted requests -->
<!-- If you specify 0.0.0.0, then the adapter will listen on all network interfaces -->
<add key="adapter-ldaps-endpoint" value="0.0.0.0:636"/>
<!-- Active Directory domain address or name, and ldap or ldaps connection scheme -->
<add key="ldap-server" value="ldaps://domain.local"/>
<!-- List of service accounts that do not require a second factor, separated by semicolons -->
<add key="ldap-service-accounts" value="CN=Service Acc,OU=Users,DC=domain,DC=local"/>
<!-- Multifactor API address -->
<add key="multifactor-api-url" value="https://api.multifactor.ru"/>
<!-- NAS-Identifier parameter to connect to the Multifactor API - from resource details in your account -->
<add key="multifactor-nas-identifier" value=""/>
<!-- Shared Secret parameter to connect to the Multifactor API - from resource details in your account -->
<add key="multifactor-shared-secret" value=""/>
<!-- Access to the Multifactor API via HTTP proxy (optional) -->
<!--add key="multifactor-api-proxy" value="http://proxy:3128"/-->
<!-- Logging level: 'Debug', 'Info', 'Warn', 'Error' -->
<add key="logging-level" value="Debug"/>After configuring the configuration, run the component:
$ sudo systemctl start multifactor-ldapYou can check the status with the command:
$ sudo systemctl status multifactor-ldapThe logs of the component are located in the /opt/multifactor/ldap/logs folder as well as in the system log.
If the LDAPS scheme is enabled, the adapter creates a self-signed SSL certificate the first time it starts up, and saves it in the /tls folder in pfx format without a password. This certificate will be used for server authentication and traffic encryption. You can replace it with your own certificate if necessary.
To view a list of SDK versions and the .NET Core runtimes installed on your machine use the command:
dotnet --infoNext, run the commands:
$ sudo yum remove aspnetcore-runtime-3.1$ sudo dnf remove aspnetcore-runtime-3.1$ sudo apt-get remove aspnetcore-runtime-3.1$ sudo apt-get remove aspnetcore-runtime-3.1Stop the multifactor-ldap service, remove it from the autorun and delete the unit configuration file:
$ sudo systemctl stop multifactor-ldap
$ sudo systemctl disable multifactor-ldap
$ sudo rm /etc/systemd/system/multifactor-ldap.serviceReload the systemd settings by scanning the system for changed units:
$ sudo systemctl daemon-reloadDelete the adapter files and system user mfa:
$ sudo rm -rf /opt/multifactor/ldap/
$ sudo userdel -r mfaPlease note, the license does not entitle you to modify the source code of the Component or create derivative products based on it. The source code is provided as-is for evaluation purposes.