Some time ago I created the dynalogin ( http://www.dynalogin.org ) solution for two-factor authentication.
I'm just contemplating how to make it easier to integrate, and making it convenient to use with OpenLDAP seems like a good strategy: can anyone comment on that?
The initial thoughts that I have about the subject:
- SASL based solution (dynalogin has digest capability already, so it could be adapted for SASL PLAIN or DIGEST-MD5)
- should not prevent password logins (user should be able to use either password or HOTP code)
- should enable people to use it indirectly (e.g. if someone already has pam_ldap working, they should be able to add dynalogin to their OpenLDAP server and get immediate benefit)
- use cases: UNIX login, high-security webmail login, VPN and OpenID provider backed by OpenLDAP
I know that SASL already supports OTP, but that is not HOTP, it is OPIE (or S/Key) RFC 2289: http://tools.ietf.org/html/rfc2289
whereas HOTP is RFC 4226: http://www.ietf.org/rfc/rfc4226.txt
HOTP is considered more secure and more widely implemented.