[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#9055) contrib/slapd-modules/passwd/totp improvements

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#9055) contrib/slapd-modules/passwd/totp improvements
From: gv@members.scinet.supercomputing.org
Date: Thu, 18 Jul 2019 21:53:57 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

On Thu, Jul 18, 2019 at 01:37:11PM -0700, Quanah Gibson-Mount wrote:
> This should be a configuration item that is an integer value of the number
> of seconds to allow outside of the timeslice, with 0 meaning only the
> default time slice is allowed.  Allowing people to authenticate outside of
> the time slice is of course a security issue and should not be allowed by
> default (So the default value of the parameter should be 0).

I don't disagree, but by that logic so should the actual size
of the time window, the number of digits, etc.  I saw a lot
of these parameters were hard-coded in this module and proceeded
in kind.  I wasn't really trying to recreate the full functionality
of the OpenLDAP Gold implementation[1].

Would a default-off ifdef to activate that code block work for
this?  I did intentionally keep that part of the change self
contained, so it wouldn't be hard to add that...

[1] https://symas.com/two-factor-authentication-everywhere

-- 
Greg Veldman
IT Infrastructure Services, Purdue University
gv@purdue.edu | (765)-496-2456

Prev by Date: Re: (ITS#9055) contrib/slapd-modules/passwd/totp improvements
Next by Date: Re: (ITS#9055) contrib/slapd-modules/passwd/totp improvements
Index(es):
- Chronological
- Thread