[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5207) Password checking: external program

On Tuesday 30 October 2007 12:40:38 hadmut@danisch.de wrote:
> Full_Name: Hadmut Danisch
> Version: 2.3.38
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (
> Hi,
> that's a feature request:
> Sometimes it is necessary to use other authentication methods than the
> regular password login. E.g. when using an insecure computer in an internet
> cafe to login into a web mail frontend, which accesses an imap server,
> which authenticates against LDAP. It would require to authenticate trough
> one-time-passwords, HTTP-Cookies or other unusual methods.
> Actually,SASL provides a way to use other methods like One-time-passwords,
> but is still too limited and there are too many programs (LDAP clients) out
> there that don't support sasl authentication.

So wouldn't the existing {SASL} scheme for userPassword (which allows a simple 
bind to be authenticated against a SASL identity) be sufficient?

> Therefore it would be nice if slapd could be configured to do the password
> checking over some external plugin or program, which could do any sort of
> unusual checking.
> This way a user could enter a one time password just as a normal LDAP login
> password, and pass it through the chain of programs, e.g. mailclient -
> maildaemon - LDAP or
> browser - webmailer - imap - LDAP.

Well, any implementation of this would have the same problems of the existing 
{SASL} scheme, of losing some of the security SASL provides.