Re: OATH TOTP LDAP schema?

[Greg Veldman <gv+ldap@gregv.net>]

On Tue, Dec 10, 2019 at 09:25:17AM +0100, C?me Chilliet wrote:
> Le mercredi 4 d?cembre 2019, 13:28:36 CET Quanah Gibson-Mount a ?crit :
> > Although perhaps this isn't exactly what was being asked for.  I.e., the 
> > module provides the ability to enable TOTP use with OpenLDAP, whereas 
> > perhaps you're looking for a way to store data in LDAP as a backend for a 
> > TOTP system?
> 
> Yes this is more what I was looking for.
> How does the module handle the storing, there is no specific schema for this?

If you're looking to use OpenLDAP as a full-fledged, fully
configurable OTP backend (e.g. the ability to dynamically switch
between TOTP and HOTP, configure the code length and time
interval, etc), you're probably wanting something like this:

https://symas.com/two-factor-authentication-everywhere/

Though note that that would appear to require a subscription to
OpenLDAP Gold.  Or use a different tool like privacyIDEA or
something similar, though that pulls the functionality out of
the directory.

If all you want is to use TOTP to authenticate your users at
the directory level (either standalone or combined with a static
password as multi-factor), then the module Dave initially
mentioned is suitable.  I have been using it as such in production
for several months.  Actually my implementation is somewhat of
a hybrid approach, I use privacyIDEA to handle the enrollment
and key management process so users have a nice web/GUI interface,
but store the keys in OpenLDAP and handle the actual
authentication there so no extrenal API calls are needed.

-- 
Greg Veldman