[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP and dynalogin (two-factor auth with HOTP)

Some time ago I created the dynalogin ( http://www.dynalogin.org )
solution for two-factor authentication.

I'm just contemplating how to make it easier to integrate, and making it
convenient to use with OpenLDAP seems like a good strategy: can anyone
comment on that?

The initial thoughts that I have about the subject:

- SASL based solution (dynalogin has digest capability already, so it
could be adapted for SASL PLAIN or DIGEST-MD5)

- should not prevent password logins (user should be able to use either
password or HOTP code)

- should enable people to use it indirectly (e.g. if someone already has
pam_ldap working, they should be able to add dynalogin to their OpenLDAP
server and get immediate benefit)

- use cases: UNIX login, high-security webmail login, VPN and OpenID
provider backed by OpenLDAP

I know that SASL already supports OTP, but that is not HOTP, it is OPIE
(or S/Key) RFC 2289:

whereas HOTP is RFC 4226:

HOTP is considered more secure and more widely implemented.