Ondřej Kuzník wrote:
On Tue, May 15, 2018 at 07:06:41PM +0200, Michael Ströder wrote:
Douglas Duckworth wrote:
Does OpenLDAP support use of one time passwords or 2FA for the Manager account?
There are several solutions:
- contrib/slapd-modules/passwd/totp/
A proof of concept overlay which AFAICS replaces checking a normal password by checking a generated TOTP value. So not really 2FA.
We have been looking into how to best make it an actual 2FA solution, though.
Did you consider to use OATH-LDAP's schema? That's the most flexible way of doing it which is appreciated.
Furthermore I'm very paranoid regarding security of shared secrets. In current OATH-LDAP they are asymmetrically encrypted with only an *external* component having access to the private key(s).
It would be nice to join forces developing something which is more integrated with OpenLDAP though.
Ciao, Michael.