[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#9055) contrib/slapd-modules/passwd/totp improvements
On Thu, Jul 18, 2019 at 01:37:11PM -0700, Quanah Gibson-Mount wrote:
> This should be a configuration item that is an integer value of the number
> of seconds to allow outside of the timeslice, with 0 meaning only the
> default time slice is allowed. Allowing people to authenticate outside of
> the time slice is of course a security issue and should not be allowed by
> default (So the default value of the parameter should be 0).
I don't disagree, but by that logic so should the actual size
of the time window, the number of digits, etc. I saw a lot
of these parameters were hard-coded in this module and proceeded
in kind. I wasn't really trying to recreate the full functionality
of the OpenLDAP Gold implementation[1].
Would a default-off ifdef to activate that code block work for
this? I did intentionally keep that part of the change self
contained, so it wouldn't be hard to add that...
[1] https://symas.com/two-factor-authentication-everywhere
--
Greg Veldman
IT Infrastructure Services, Purdue University
gv@purdue.edu | (765)-496-2456