[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#9055) contrib/slapd-modules/passwd/totp improvements
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#9055) contrib/slapd-modules/passwd/totp improvements
- From: quanah@symas.com
- Date: Thu, 18 Jul 2019 20:37:22 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
--On Thursday, July 18, 2019 7:37 PM +0000
gv@members.scinet.supercomputing.org wrote:
> - Allow the OTP from the previous time window to be accepted, provided
> there has been no successful bind in or after that time window. This
> avoids false authentication failures if for example the time window rolls
> over as the OTP is being entered or transmitted.
This should be a configuration item that is an integer value of the number
of seconds to allow outside of the timeslice, with 0 meaning only the
default time slice is allowed. Allowing people to authenticate outside of
the time slice is of course a security issue and should not be allowed by
default (So the default value of the parameter should be 0).
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>