[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP and dynalogin (two-factor auth with HOTP)

On 03/11/12 22:10 +0100, Daniel Pocock wrote:
Howard Chu <hyc@symas.com> wrote:
Daniel Pocock wrote:
Some time ago I created the dynalogin ( http://www.dynalogin.org )
solution for two-factor authentication.

I'm just contemplating how to make it easier to integrate, and making
it convenient to use with OpenLDAP seems like a good strategy: can
anyone comment on that?

Yes, provide a Cyrus-SASL plugin implementing your mechanism and then it
will immediately be usable in OpenLDAP and a number of other software

I'm familiar with SASL and how it is accessed with ldapsearch, etc

My reasons for raising the subject with OpenLDAP users are

- many other apps don't do SASL directly, they use an LDAP search or
sometimes a bind to validate a log on, so I'm more likely to come across
potential use cases here

'log on' implies some kind of shell access, or scenario where pam is
involved, which you already support. Although SASL is the more elegant
solution, it's really on necessary where you're doing searching or direct
LDAP connections between the client and the server (or where you want to
reduce duplicated work where you're also authenticating, say, IMAP and SMTP

- I'm curious about how useful the SASL plugin will be without modifying
such apps, and any practical suggestions about how to support use cases
that I may not have anticipated


- there seem to be some choices, e.g. I could just offer the PLAIN
mechanism and the HOTP token is submitted as a password, or it could be
offered as some other arbitrary mechanism - does that choice impact
OpenLDAP users significantly?

That's pretty much 'just a password'. PLAIN will not support two factor
authentication. In that case, it would be easier to just run SASL PLAIN and
pass-through authentication to saslauthd, with its pam backend.

Dan White