[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Pass-Through Authentication

Tim Gustafson wrote:
How hard would it be to create a new pass-through authentication mechanism (something other than SASL) for OpenLDAP?  Can this be done in an overlay?

The reason I ask is that I'm investigating using two-factor authentication.  If I understand the marketing materials correctly, both the RSA SecureID system and the WiKID system expose a RADIUS server that clients can authenticate with.  The suggested set-up seems to be:

OpenLDAP ->  SASL ->  pam ->  RADIUS (on 3rd party token server)

SASL/OTP already supports one-time password authentication. If that doesn't directly do what you want, I suggest you explore

  OpenLDAP -> SASL -> <something>

This seems like a lot of intermediaries, and a lot of potential "breaking" points.  I wonder if there isn't any way to just cut the middle man out, so to speak, and have OpenLDAP talk directly to a RADIUS server, eliminating the other layers inbetween:

OpenLDAP ->  RADIUS (on 3rd party token server)

Perhaps a password scheme like:


No. We really really don't like new password schemes.

I've worked with RADIUS before, and it's not all that bad from a client implementation perspective, especially if you ignore the challenge/response part of the protocol (which most simple authentication services seem to do).

Or should I just shut up and use the first method?  :)

Tim Gustafson                                                tjg@soe.ucsc.edu
Baskin School of Engineering                                     831-459-5354
UC Santa Cruz                                         Baskin Engineering 317B

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/