Howard Chu hyc@symas.com wrote:
Daniel Pocock wrote:
Some time ago I created the dynalogin ( http://www.dynalogin.org ) solution for two-factor authentication.
I'm just contemplating how to make it easier to integrate, and making
it
convenient to use with OpenLDAP seems like a good strategy: can
anyone
comment on that?
This is not the place to make that happen. LDAP uses SASL as its extensible authentication mechanism, you should be looking there.
The initial thoughts that I have about the subject:
- SASL based solution (dynalogin has digest capability already, so it
could be adapted for SASL PLAIN or DIGEST-MD5)
Yes, provide a Cyrus-SASL plugin implementing your mechanism and then it will immediately be usable in OpenLDAP and a number of other software packages.
I'm familiar with SASL and how it is accessed with ldapsearch, etc
My reasons for raising the subject with OpenLDAP users are
- many other apps don't do SASL directly, they use an LDAP search or sometimes a bind to validate a log on, so I'm more likely to come across potential use cases here
- I'm curious about how useful the SASL plugin will be without modifying such apps, and any practical suggestions about how to support use cases that I may not have anticipated
- there seem to be some choices, e.g. I could just offer the PLAIN mechanism and the HOTP token is submitted as a password, or it could be offered as some other arbitrary mechanism - does that choice impact OpenLDAP users significantly?