[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP and dynalogin (two-factor auth with HOTP)

Howard Chu <hyc@symas.com> wrote:

>Daniel Pocock wrote:
>> Some time ago I created the dynalogin ( http://www.dynalogin.org )
>> solution for two-factor authentication.
>> I'm just contemplating how to make it easier to integrate, and making
>> convenient to use with OpenLDAP seems like a good strategy: can
>> comment on that?
>This is not the place to make that happen. LDAP uses SASL as its
>authentication mechanism, you should be looking there.
>> The initial thoughts that I have about the subject:
>> - SASL based solution (dynalogin has digest capability already, so it
>> could be adapted for SASL PLAIN or DIGEST-MD5)
>Yes, provide a Cyrus-SASL plugin implementing your mechanism and then
>it will 
>immediately be usable in OpenLDAP and a number of other software

I'm familiar with SASL and how it is accessed with ldapsearch, etc

My reasons for raising the subject with OpenLDAP users are

- many other apps don't do SASL directly, they use an LDAP search or sometimes a bind to validate a log on, so I'm more likely to come across potential use cases here

- I'm curious about how useful the SASL plugin will be without modifying such apps, and any practical suggestions about how to support use cases that I may not have anticipated

- there seem to be some choices, e.g. I could just offer the PLAIN mechanism and the HOTP token is submitted as a password, or it could be offered as some other arbitrary mechanism - does that choice impact OpenLDAP users significantly?