Howard Chu wrote:
Am 15.05.2018 um 19:06 schrieb Michael Ströder:
Douglas Duckworth wrote:
Does OpenLDAP support use of one time passwords or 2FA for the Manager account?
There are several solutions:
- contrib/slapd-modules/passwd/totp/
A proof of concept overlay which AFAICS replaces checking a normal password by checking a generated TOTP value. So not really 2FA.
But certainly OTP, which is part of the original question. Unfortunately Google Authenticator only uses 6 digits. With a longer input, OTP is sufficiently strong for most authentication purposes all by itself, no need for a 2nd factor. (See S/Key, OPIE)
I strongly disagree: If the shared secret (or token) gets lost / stolen there's no more authentication. I'd never use OTP alone.
Ciao, Michael.