Dear all,
I am a newbie to OpenLDAP.
I would like to know whether OpenLDAP can interface with other authentication method. For example, finger print authentication.
Thanks in advance for all your help.
Best regards, Chris
On 11/13/2011 17:53, Chris Lee wrote:
Dear all,
I am a newbie to OpenLDAP.
I would like to know whether OpenLDAP can interface with other authentication method. For example, finger print authentication.
Thanks in advance for all your help.
Best regards, Chris
on linux/unix you can use PAM with openldap as one authentication method, and your biometric device as another. you can easily configure PAM so that you can require EITHER (biometric OR openldap) for authentication, or require BOTH (biometric AND openldap) for authentication.
Chris Lee wrote:
Dear all,
I am a newbie to OpenLDAP.
I would like to know whether OpenLDAP can interface with other authentication method. For example, finger print authentication.
OpenLDAP relies on SASL for pluggable authentication mechanisms. Since SASL is extensible, new mechs should just be implemented there (which thus allows them to be used by any other applications that are also SASL-enabled, such as IMAP servers or whatever...)
Dear Howard,
If the fingerprint authentication provides API, can it be invoked from OpenLDAP and how?
Thanks in advance for all your helps.
Best regards, Chris.
Howard Chu wrote, On 2011-11-14 16:15:
Chris Lee wrote:
Dear all,
I am a newbie to OpenLDAP.
I would like to know whether OpenLDAP can interface with other authentication method. For example, finger print authentication.
OpenLDAP relies on SASL for pluggable authentication mechanisms. Since SASL is extensible, new mechs should just be implemented there (which thus allows them to be used by any other applications that are also SASL-enabled, such as IMAP servers or whatever...)
Howard Chu wrote, On 2011-11-14 16:15:
Chris Lee wrote:
Dear all,
I am a newbie to OpenLDAP.
I would like to know whether OpenLDAP can interface with other authentication method. For example, finger print authentication.
OpenLDAP relies on SASL for pluggable authentication mechanisms. Since SASL is extensible, new mechs should just be implemented there (which thus allows them to be used by any other applications that are also SASL-enabled, such as IMAP servers or whatever...)
On 14/11/11 18:19 +0800, Chris Lee wrote:
Dear Howard,
If the fingerprint authentication provides API, can it be invoked from OpenLDAP and how?
Thanks in advance for all your helps.
You could implement a new SASL (RFC 4422) mechanism by creating a new shared library within the Cyrus SASL code, which would then be usable via slapd, and any other software which links against Cyrus.
For Cyrus SASL developer documentation, see:
http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/plugprog.php http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/programming.php
The implementation would not require any changes to the OpenLDAP code. It would be invoked by specifying the new mechanism - e.g. via the '-Y' option when using the OpenLDAP client utilities.
You can direct any additional questions to the cyrus-sasl mailing list at:
http://www.cyrussasl.org/mediawiki/index.php/Cyrus_Mailing_Lists
openldap-technical@openldap.org