--On Thursday, July 18, 2019 7:37 PM +0000 gv@members.scinet.supercomputing.org wrote:
- Allow the OTP from the previous time window to be accepted, provided
there has been no successful bind in or after that time window. This avoids false authentication failures if for example the time window rolls over as the OTP is being entered or transmitted.
This should be a configuration item that is an integer value of the number of seconds to allow outside of the timeslice, with 0 meaning only the default time slice is allowed. Allowing people to authenticate outside of the time slice is of course a security issue and should not be allowed by default (So the default value of the parameter should be 0).
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
-
quanah@symas.com