https://bugs.openldap.org/show_bug.cgi?id=10169
Issue ID: 10169 Summary: Add support for token only authentication with otp overlay Product: OpenLDAP Version: 2.6.6 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs@openldap.org Reporter: quanah@openldap.org Target Milestone: ---
Currently the OTP overlay is password + token. It would be nice to be able to configure it so it can run in a token only mode, similar to the slapo-totp overlay in contrib. This would allow us to have a project supported solution and retire that contrib module.
https://bugs.openldap.org/show_bug.cgi?id=10169
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.7.0 Keywords|needs_review |
https://bugs.openldap.org/show_bug.cgi?id=10169
--- Comment #1 from Ondřej Kuzník ondra@mistotebe.net --- Maybe the overlay could intercept a Compare against the oathH/TOTPToken but not sure we should react to a missing userPassword differently. Concerned some security would be compromised, people might be able to set an empty userpassword if they really want this? Might not be a good idea for SASL binds on the other hand so probably not.
https://bugs.openldap.org/show_bug.cgi?id=10169
--- Comment #2 from Bastian bastian-bugopenldap21@t6l.de --- Thanks for you comment. I'd like to add, that our site would be very interested in this feature. Currently, we rely on the pw-totp module from contrib. And we would be very happy to convert to the supported overlay.
In our case it's a core element of the design, that there is no keyboard-interactive userPassword available during authentication. The 1FA is done by sshd pubkey authentication. The 2FA is a subsequent PAM module which does an ldap bind call against the entries beneath ou=totp.
Picking up your thought about an empty userPassword: Maybe it is possible to introduce a password schema like `{OTPONLY}` to selectively set entries in the otp only authentication mode.
-
openldap-its@openldap.org