On Tue, Dec 10, 2019 at 09:25:17AM +0100, C?me Chilliet wrote:
Le mercredi 4 d?cembre 2019, 13:28:36 CET Quanah Gibson-Mount a ?crit :
Although perhaps this isn't exactly what was being asked for. I.e., the module provides the ability to enable TOTP use with OpenLDAP, whereas perhaps you're looking for a way to store data in LDAP as a backend for a TOTP system?
Yes this is more what I was looking for. How does the module handle the storing, there is no specific schema for this?
If you're looking to use OpenLDAP as a full-fledged, fully configurable OTP backend (e.g. the ability to dynamically switch between TOTP and HOTP, configure the code length and time interval, etc), you're probably wanting something like this:
https://symas.com/two-factor-authentication-everywhere/
Though note that that would appear to require a subscription to OpenLDAP Gold. Or use a different tool like privacyIDEA or something similar, though that pulls the functionality out of the directory.
If all you want is to use TOTP to authenticate your users at the directory level (either standalone or combined with a static password as multi-factor), then the module Dave initially mentioned is suitable. I have been using it as such in production for several months. Actually my implementation is somewhat of a hybrid approach, I use privacyIDEA to handle the enrollment and key management process so users have a nice web/GUI interface, but store the keys in OpenLDAP and handle the actual authentication there so no extrenal API calls are needed.