On 03/11/12 22:10 +0100, Daniel Pocock wrote:
Howard Chu hyc@symas.com wrote:
Daniel Pocock wrote:
Some time ago I created the dynalogin ( http://www.dynalogin.org ) solution for two-factor authentication.
I'm just contemplating how to make it easier to integrate, and making it convenient to use with OpenLDAP seems like a good strategy: can anyone comment on that?
Yes, provide a Cyrus-SASL plugin implementing your mechanism and then it will immediately be usable in OpenLDAP and a number of other software packages.
I'm familiar with SASL and how it is accessed with ldapsearch, etc
My reasons for raising the subject with OpenLDAP users are
- many other apps don't do SASL directly, they use an LDAP search or
sometimes a bind to validate a log on, so I'm more likely to come across potential use cases here
'log on' implies some kind of shell access, or scenario where pam is involved, which you already support. Although SASL is the more elegant solution, it's really on necessary where you're doing searching or direct LDAP connections between the client and the server (or where you want to reduce duplicated work where you're also authenticating, say, IMAP and SMTP connections).
- I'm curious about how useful the SASL plugin will be without modifying
such apps, and any practical suggestions about how to support use cases that I may not have anticipated
http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/components.php
- there seem to be some choices, e.g. I could just offer the PLAIN
mechanism and the HOTP token is submitted as a password, or it could be offered as some other arbitrary mechanism - does that choice impact OpenLDAP users significantly?
That's pretty much 'just a password'. PLAIN will not support two factor authentication. In that case, it would be easier to just run SASL PLAIN and pass-through authentication to saslauthd, with its pam backend.