[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5207) Password checking: external program

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5207) Password checking: external program
From: hyc@symas.com
Date: Thu, 1 Nov 2007 10:00:29 GMT

bgmilne@staff.telkomsa.net wrote:
> On Tuesday 30 October 2007 12:40:38 hadmut@danisch.de wrote:
>> Full_Name: Hadmut Danisch
>> Version: 2.3.38
>> OS: Linux
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (85.180.64.93)
>>
>>
>> Hi,
>>
>> that's a feature request:
>>
>> Sometimes it is necessary to use other authentication methods than the
>> regular password login. E.g. when using an insecure computer in an internet
>> cafe to login into a web mail frontend, which accesses an imap server,
>> which authenticates against LDAP. It would require to authenticate trough
>> one-time-passwords, HTTP-Cookies or other unusual methods.
>>
>> Actually,SASL provides a way to use other methods like One-time-passwords,
>> but is still too limited and there are too many programs (LDAP clients) out
>> there that don't support sasl authentication.
> 
> So wouldn't the existing {SASL} scheme for userPassword (which allows a simple
> bind to be authenticated against a SASL identity) be sufficient?

Simple Bind actually doesn't lend itself well to most one-time-password 
schemes, because they require the ability for a server to send a challenge 
string to a client so the client can select/generate the correct OTP. You 
could kludge this by introducing a new Bind-in-Progress error code but no 
existing clients would recognize it or know what to do with it. (Too bad the 
LDAP_SASL_BIND_IN_PROGRESS error code is so specific; it really would have 
been smarter to minimize differences between SASL Binds and Simple Binds, 
rather than widen the differences even further.)

(The idea being, you could still implement the OTP mech with Simple Bind if 
the client first sends a Bind request with DN and bogus password - the OTP 
mech can return an error at that point with the Challenge string in the 
message text. Then the client can provide that challenge to the user, reprompt 
for a password, and carry on.)

>> Therefore it would be nice if slapd could be configured to do the password
>> checking over some external plugin or program, which could do any sort of
>> unusual checking.
>> This way a user could enter a one time password just as a normal LDAP login
>> password, and pass it through the chain of programs, e.g. mailclient -
>> maildaemon - LDAP or
>> browser - webmailer - imap - LDAP.
> 
> Well, any implementation of this would have the same problems of the existing
> {SASL} scheme, of losing some of the security SASL provides.

True, but not really an issue for an OTP mechanism; since the password is 
single-use it doesn't really need any protection.

Anyway, slapd *can* be configured to do password checking with external 
plugins. And there's already several plugins provided in the contrib section 
of the source tree. Feel free to write more plugins to do whatever kind of 
checking you want, and submit your plugins back to the ITS. This particular 
ITS will be closed, the feature already exists.
-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/

Prev by Date: Re: (ITS#5207) Password checking: external program
Next by Date: Re: (ITS#5207) Password checking: external program
Index(es):
- Chronological
- Thread