[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP and dynalogin (two-factor auth with HOTP)

Daniel Pocock wrote:
Some time ago I created the dynalogin ( http://www.dynalogin.org )
solution for two-factor authentication.

I'm just contemplating how to make it easier to integrate, and making it
convenient to use with OpenLDAP seems like a good strategy: can anyone
comment on that?

This is not the place to make that happen. LDAP uses SASL as its extensible authentication mechanism, you should be looking there.

The initial thoughts that I have about the subject:

- SASL based solution (dynalogin has digest capability already, so it
could be adapted for SASL PLAIN or DIGEST-MD5)

Yes, provide a Cyrus-SASL plugin implementing your mechanism and then it will immediately be usable in OpenLDAP and a number of other software packages.

- should not prevent password logins (user should be able to use either
password or HOTP code)

- should enable people to use it indirectly (e.g. if someone already has
pam_ldap working, they should be able to add dynalogin to their OpenLDAP
server and get immediate benefit)

- use cases: UNIX login, high-security webmail login, VPN and OpenID
provider backed by OpenLDAP

I know that SASL already supports OTP, but that is not HOTP, it is OPIE
(or S/Key) RFC 2289:

whereas HOTP is RFC 4226:

HOTP is considered more secure and more widely implemented.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/