On Sat, Aug 23, 2014 at 5:57 PM, David R firstname.lastname@example.org wrote:
So I was wondering if one of you has ever implemented this kind of solution and how...
I've implemented such a solution. My solution isn't an OpenLDAP solution; it just has OpenLDAP as a key part of the mix in our infrastructure. For various business reasons, I needed per-application, per-user variability of whether to use OTP or not. Unfortunately, I can't yet publish the code. However, our particular solution is pretty simple to implement. (And I should probably note that we're not actually using RADIUS; we're using our OTP server's SOAP interface, instead. However, we could use RADIUS. We just get slightly more flexibility from the SOAP interface than is provided by the RADIUS interface.)
I used Node.js and the ldapjs module to create a limited functionality LDAP proxy. It's pretty simple, at a total of 131 lines of code, including comments, whitespace, etc. It only handles searches and binds, which was sufficient for the applications at issue. In the directory, I maintain a group of users who are required to use OTP to authenticate. When a bind request comes in, I check the DN against the membership of the group. If the user must OTP, I run off to the OTP server to complete the authentication. If not, I pass the authentication through to the OpenLDAP server.
Obviously, the clients need to use the proxy as their directory server, in place of the actual server.