##### ##### This file is part of Mail-in-a-Box-LDAP which is released under the ##### terms of the GNU Affero General Public License as published by the ##### Free Software Foundation, either version 3 of the License, or (at ##### your option) any later version. See file LICENSE or go to ##### https://github.com/downtownallday/mailinabox-ldap for full license ##### details. ##### # # MiaB-LDAP's directory schema for time-based one time passwords (TOTP) # objectIdentifier MiabLDAPmfa MiabLDAProot:1 objectIdentifier MiabLDAPmfaAttributeType MiabLDAPmfa:2 objectIdentifier MiabLDAPmfaObjectClass MiabLDAPmfa:3 # secret consists of base32 characters (see RFC 4648) attributetype ( MiabLDAPmfaAttributeType:1 DESC 'TOTP secret' NAME 'totpSecret' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORDERED 'VALUES' EQUALITY caseExactIA5Match ) # tokens are a base-10 string of N digits, but set the syntax to # IA5String anyway attributetype ( MiabLDAPmfaAttributeType:2 DESC 'TOTP last token used' NAME 'totpMruToken' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORDERED 'VALUES' EQUALITY caseExactIA5Match ) # the time in nanoseconds since the epoch when the mru token was last # used. the time will also be set when a new entry is created even if # the corresponding mru token is blank attributetype ( MiabLDAPmfaAttributeType:3 DESC 'TOTP last token used time' NAME 'totpMruTokenTime' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORDERED 'VALUES' EQUALITY caseExactIA5Match ) # The label is currently any text supplied by the user, which is used # as a reminder of where the secret is stored when logging in (where # the authenticator app is, that holds the secret). eg "my samsung # phone" attributetype ( MiabLDAPmfaAttributeType:4 DESC 'TOTP device label' NAME 'totpLabel' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORDERED 'VALUES' EQUALITY caseIgnoreIA5Match ) # The TOTP objectClass objectClass ( MiabLDAPmfaObjectClass:1 NAME 'totpUser' DESC 'MiaB-LDAP TOTP settings for a user' SUP top AUXILIARY MUST ( totpSecret $ totpMruToken $ totpMruTokenTime $ totpLabel ) )