bgmilne@staff.telkomsa.net wrote:
On Tuesday 30 October 2007 12:40:38 hadmut@danisch.de wrote:
Full_Name: Hadmut Danisch Version: 2.3.38 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (85.180.64.93)
Hi,
that's a feature request:
Sometimes it is necessary to use other authentication methods than the regular password login. E.g. when using an insecure computer in an internet cafe to login into a web mail frontend, which accesses an imap server, which authenticates against LDAP. It would require to authenticate trough one-time-passwords, HTTP-Cookies or other unusual methods.
Actually,SASL provides a way to use other methods like One-time-passwords, but is still too limited and there are too many programs (LDAP clients) out there that don't support sasl authentication.
So wouldn't the existing {SASL} scheme for userPassword (which allows a simple bind to be authenticated against a SASL identity) be sufficient?
Simple Bind actually doesn't lend itself well to most one-time-password schemes, because they require the ability for a server to send a challenge string to a client so the client can select/generate the correct OTP. You could kludge this by introducing a new Bind-in-Progress error code but no existing clients would recognize it or know what to do with it. (Too bad the LDAP_SASL_BIND_IN_PROGRESS error code is so specific; it really would have been smarter to minimize differences between SASL Binds and Simple Binds, rather than widen the differences even further.)
(The idea being, you could still implement the OTP mech with Simple Bind if the client first sends a Bind request with DN and bogus password - the OTP mech can return an error at that point with the Challenge string in the message text. Then the client can provide that challenge to the user, reprompt for a password, and carry on.)
Therefore it would be nice if slapd could be configured to do the password checking over some external plugin or program, which could do any sort of unusual checking. This way a user could enter a one time password just as a normal LDAP login password, and pass it through the chain of programs, e.g. mailclient - maildaemon - LDAP or browser - webmailer - imap - LDAP.
Well, any implementation of this would have the same problems of the existing {SASL} scheme, of losing some of the security SASL provides.
True, but not really an issue for an OTP mechanism; since the password is single-use it doesn't really need any protection.
Anyway, slapd *can* be configured to do password checking with external plugins. And there's already several plugins provided in the contrib section of the source tree. Feel free to write more plugins to do whatever kind of checking you want, and submit your plugins back to the ITS. This particular ITS will be closed, the feature already exists.