[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#9055) contrib/slapd-modules/passwd/totp improvements

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#9055) contrib/slapd-modules/passwd/totp improvements
From: quanah@symas.com
Date: Thu, 18 Jul 2019 20:37:22 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

--On Thursday, July 18, 2019 7:37 PM +0000 
gv@members.scinet.supercomputing.org wrote:

> - Allow the OTP from the previous time window to be accepted, provided
> there has been no successful bind in or after that time window.  This
> avoids false authentication failures if for example the time window rolls
> over as the OTP is being entered or transmitted.

This should be a configuration item that is an integer value of the number 
of seconds to allow outside of the timeslice, with 0 meaning only the 
default time slice is allowed.  Allowing people to authenticate outside of 
the time slice is of course a security issue and should not be allowed by 
default (So the default value of the parameter should be 0).

Regards,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Prev by Date: Re: (ITS#9055) contrib/slapd-modules/passwd/totp improvements
Next by Date: Re: (ITS#9055) contrib/slapd-modules/passwd/totp improvements
Index(es):
- Chronological
- Thread