On Sat, Aug 23, 2014 at 5:57 PM, David R <ajrtin@hotmail.com> wrote:
So I was wondering if one of you has ever implemented this kind of solution and how...

I've implemented such a solution.  My solution isn't an OpenLDAP solution; it just has OpenLDAP as a key part of the mix in our infrastructure.  For various business reasons, I needed per-application, per-user variability of whether to use OTP or not.  Unfortunately, I can't yet publish the code.  However, our particular solution is pretty simple to implement.  (And I should probably note that we're not actually using RADIUS; we're using our OTP server's SOAP interface, instead.  However, we could use RADIUS.  We just get slightly more flexibility from the SOAP interface than is provided by the RADIUS interface.)

I used Node.js and the ldapjs module to create a limited functionality LDAP proxy.  It's pretty simple, at a total of 131 lines of code, including comments, whitespace, etc.  It only handles searches and binds, which was sufficient for the applications at issue.  In the directory, I maintain a group of users who are required to use OTP to authenticate.  When a bind request comes in, I check the DN against the membership of the group.  If the user must OTP, I run off to the OTP server to complete the authentication.  If not, I pass the authentication through to the OpenLDAP server.

Obviously, the clients need to use the proxy as their directory server, in place of the actual server.