--On Thursday, February 1, 2024 10:55 AM +0100 Bastian Tweddell b.tweddell@fz-juelich.de wrote:
The reason was, that we use it as a TOTP-only solution. I had a testsetup with slapo-otp as well, but this module required userPassword + TOTP, IIRC; where we cannot not have userPassword.
Our setup is to use TOTP as 2FA for ssh logins against the centralized LDAP infrstructure. The ssh-login 1FA is ssh pubkey (also in LDAP) and 2FA is TOTP. To achieve this we use a PAM module which does an ldapbind against the user-DN which has the userPassword schema '{TOTP1}'.
Maybe I wrong or outdated here and slapo-opt also supports TOTP-only authentication now?
After discussion in today's project team meeting, we've opened an issue to have this supported by slapo-otp in the future:
https://bugs.openldap.org/show_bug.cgi?id=10169
If you follow that bug, once a solution is in, we'd always welcome testing of it. :)
Regards, Quanah