On Sat, Aug 23, 2014 at 5:57 PM, David R <ajrtin(a)hotmail.com> wrote:
So I was wondering if one of you has ever implemented this kind of
solution and how...
I've implemented such a solution. My solution isn't an OpenLDAP solution;
it just has OpenLDAP as a key part of the mix in our infrastructure. For
various business reasons, I needed per-application, per-user variability of
whether to use OTP or not. Unfortunately, I can't yet publish the code.
However, our particular solution is pretty simple to implement. (And I
should probably note that we're not actually using RADIUS; we're using our
OTP server's SOAP interface, instead. However, we could use RADIUS. We
just get slightly more flexibility from the SOAP interface than is provided
by the RADIUS interface.)
I used Node.js and the ldapjs module to create a limited functionality LDAP
proxy. It's pretty simple, at a total of 131 lines of code, including
comments, whitespace, etc. It only handles searches and binds, which was
sufficient for the applications at issue. In the directory, I maintain a
group of users who are required to use OTP to authenticate. When a bind
request comes in, I check the DN against the membership of the group. If
the user must OTP, I run off to the OTP server to complete the
authentication. If not, I pass the authentication through to the OpenLDAP
Obviously, the clients need to use the proxy as their directory server, in
place of the actual server.