[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP and dynalogin (two-factor auth with HOTP)

To: Daniel Pocock <daniel@pocock.com.au>
Subject: Re: OpenLDAP and dynalogin (two-factor auth with HOTP)
From: Dan White <dwhite@olp.net>
Date: Mon, 12 Mar 2012 09:33:53 -0500
Cc: Howard Chu <hyc@symas.com>, openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <a03afb9a-e323-4fb6-ac8d-5504689219ab@email.android.com>
References: <4F591236.1030305@pocock.com.au> <4F5B1106.4030707@symas.com> <a03afb9a-e323-4fb6-ac8d-5504689219ab@email.android.com>
User-agent: Mutt/1.5.21 (2010-09-15)

On 03/11/12 22:10 +0100, Daniel Pocock wrote:

Howard Chu <hyc@symas.com> wrote:

Daniel Pocock wrote:

Some time ago I created the dynalogin ( http://www.dynalogin.org )
solution for two-factor authentication.

I'm just contemplating how to make it easier to integrate, and making
it convenient to use with OpenLDAP seems like a good strategy: can
anyone comment on that?

Yes, provide a Cyrus-SASL plugin implementing your mechanism and then it
will immediately be usable in OpenLDAP and a number of other software
packages.


I'm familiar with SASL and how it is accessed with ldapsearch, etc

My reasons for raising the subject with OpenLDAP users are

- many other apps don't do SASL directly, they use an LDAP search or
sometimes a bind to validate a log on, so I'm more likely to come across
potential use cases here


'log on' implies some kind of shell access, or scenario where pam is
involved, which you already support. Although SASL is the more elegant
solution, it's really on necessary where you're doing searching or direct
LDAP connections between the client and the server (or where you want to
reduce duplicated work where you're also authenticating, say, IMAP and SMTP
connections).

- I'm curious about how useful the SASL plugin will be without modifying
such apps, and any practical suggestions about how to support use cases
that I may not have anticipated


http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer
http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/components.php

- there seem to be some choices, e.g. I could just offer the PLAIN
mechanism and the HOTP token is submitted as a password, or it could be
offered as some other arbitrary mechanism - does that choice impact
OpenLDAP users significantly?


That's pretty much 'just a password'. PLAIN will not support two factor
authentication. In that case, it would be easier to just run SASL PLAIN and
pass-through authentication to saslauthd, with its pam backend.

--
Dan White

References:
- OpenLDAP and dynalogin (two-factor auth with HOTP)
  - From: Daniel Pocock <daniel@pocock.com.au>
- Re: OpenLDAP and dynalogin (two-factor auth with HOTP)
  - From: Howard Chu <hyc@symas.com>
- Re: OpenLDAP and dynalogin (two-factor auth with HOTP)
  - From: Daniel Pocock <daniel@pocock.com.au>

Prev by Date: Large delay before transmitting search result
Next by Date: Re: Large delay before transmitting search result
Index(es):
- Chronological
- Thread