Re: OpenLDAP and dynalogin (two-factor auth with HOTP)
Howard Chu <hyc(a)symas.com> wrote:
Daniel Pocock wrote:
> Some time ago I created the dynalogin ( http://www.dynalogin.org )
> solution for two-factor authentication.
>
> I'm just contemplating how to make it easier to integrate, and making
it
> convenient to use with OpenLDAP seems like a good strategy: can
anyone
> comment on that?
This is not the place to make that happen. LDAP uses SASL as its
extensible
authentication mechanism, you should be looking there.
>
> The initial thoughts that I have about the subject:
>
> - SASL based solution (dynalogin has digest capability already, so it
> could be adapted for SASL PLAIN or DIGEST-MD5)
Yes, provide a Cyrus-SASL plugin implementing your mechanism and then
it will
immediately be usable in OpenLDAP and a number of other software
packages.
I'm familiar with SASL and how it is accessed with ldapsearch, etc
My reasons for raising the subject with OpenLDAP users are
- many other apps don't do SASL directly, they use an LDAP search or sometimes a bind
to validate a log on, so I'm more likely to come across potential use cases here
- I'm curious about how useful the SASL plugin will be without modifying such apps,
and any practical suggestions about how to support use cases that I may not have
anticipated
- there seem to be some choices, e.g. I could just offer the PLAIN mechanism and the HOTP
token is submitted as a password, or it could be offered as some other arbitrary mechanism
- does that choice impact OpenLDAP users significantly?