LDAP + OTP AUthentication

[guywyers]

Just upgraded to 19.2 and was delighted to find LDAP + 2FA authentication.

I succeeded in setting up a server (LDAP + Timebased One Time Password), but now I'm stuck in the next step:

How do I set up the OTP seeds for these LDAP users?

At first I thought I would have to import them as for normal LDAP users, but that doesn't seem possible. Did I overlook something?

Thanks for your help.

[newsense]

The QR code needs to be scanned by their phone app. Keep in mind this is a security feature, so sending out emails with QR codes might not be the best avenue

[guywyers]

Thanks, but the question is how do I get to see the QR code?

Say I have a user "johny" defined somewhere with the info accessible through LDAP. Where can I assign johny his initial OTP seed?
Should I explicitly add johny as a user? This seems strange, because in the simple LDAP scenario (without OTP) I can at least import users from the LDAP.

[newsense]

Without LDAP you add a user and configure it. After saving you can see the QR code on demand and use the Tester function to verify it works.

I would expect this to help you - Step number 3 to be precise

https://docs.opnsense.org/manual/how-tos/user-ldap.html

[jayjay]

Hello,

i have exact the same question. How to get the QR Code for LDAP Users ?

[franco]

On the individual user's account page.

[jayjay]

@Franco

I use LDAP so i have no individual page for the user.
If is use local users than thee is no problem to get the QR Code.
Or do i have to impor the user from LDAP to local?

Best regards

[franco]

Well, yes, and, no... you need to import the LDAP users to the OPNsense so you can create OTP tokens for them and then you get to see the QR code.

This is necessary because the OTP is done locally on the OPNsense and the actual password is deferred to LDAP.


Cheers,
Franco