On Wed, Mar 19, 2025 at 12:43:09PM -0400, Craig Huckabee wrote:
I’m talking about pass through authentication that uses saslauthd.
It solves the problem I tried to describe - I want to use our RADIUS based 2FA system for authentication (Yubikey) with systems that don’t support RADIUS but do support LDAP authentication.
I can pass the username/password supplied in the LDAP bind request to RADIUS utilizing saslauthd.
But I want to do this in a way that maintains the standard username/password binds as we have some systems where we don’t want to enforce 2FA.
Rather than create a whole new LDAP infrastructure for this, I’d hoped to user an overlay to create a new rPeople ou that was a translucent overlay of the People ou, except for userPassword which would contain the required information to trigger pass through authentication.
It would be even better if we could offer pass through authentication or not based on the IP/host name of the source for the bind attempt.
If that’s not possible with openldap then we’ll look into alternatives.
Hi Craig, in you only need to be able to say "keep processing this Bind as usual" vs. "I'll do it myself for this user and give you a result here and now", the sock overlay plus custom code that OpenLDAP talks to might be a way out at least in the short term. It also gives you all the connection context you've mentioned if configured appropriately.
Don't think you have a way to read the DB data this way, that's only available to actual code overlays/slapi that run inside the slapd process. Not that our slapi interface is being actively tested, it might have bit-rotted slightly and you won't get 2.4 code updates from the project anymore.
Regards,