On 03/11/12 22:10 +0100, Daniel Pocock wrote:
Howard Chu <hyc(a)symas.com> wrote:
>Daniel Pocock wrote:
>>Some time ago I created the dynalogin ( http://www.dynalogin.org
>>solution for two-factor authentication.
>>I'm just contemplating how to make it easier to integrate, and making
>>it convenient to use with OpenLDAP seems like a good strategy: can
>>anyone comment on that?
>Yes, provide a Cyrus-SASL plugin implementing your mechanism and
>will immediately be usable in OpenLDAP and a number of other software
I'm familiar with SASL and how it is accessed with ldapsearch, etc
My reasons for raising the subject with OpenLDAP users are
- many other apps don't do SASL directly, they use an LDAP search or
sometimes a bind to validate a log on, so I'm more likely to come across
potential use cases here
'log on' implies some kind of shell access, or scenario where pam is
involved, which you already support. Although SASL is the more elegant
solution, it's really on necessary where you're doing searching or direct
LDAP connections between the client and the server (or where you want to
reduce duplicated work where you're also authenticating, say, IMAP and SMTP
- I'm curious about how useful the SASL plugin will be without
such apps, and any practical suggestions about how to support use cases
that I may not have anticipated
- there seem to be some choices, e.g. I could just offer the PLAIN
mechanism and the HOTP token is submitted as a password, or it could be
offered as some other arbitrary mechanism - does that choice impact
OpenLDAP users significantly?
That's pretty much 'just a password'. PLAIN will not support two factor
authentication. In that case, it would be easier to just run SASL PLAIN and
pass-through authentication to saslauthd, with its pam backend.