Tim Gustafson wrote:
How hard would it be to create a new pass-through authentication mechanism
(something other than SASL) for OpenLDAP? Can this be done in an overlay?
The reason I ask is that I'm investigating using two-factor authentication. If
I understand the marketing materials correctly, both the RSA SecureID system
and the WiKID system expose a RADIUS server that clients can authenticate with.
The suggested set-up seems to be:
OpenLDAP -> SASL -> pam -> RADIUS (on 3rd party token server)
SASL/OTP already supports one-time password authentication. If that doesn't
directly do what you want, I suggest you explore
OpenLDAP -> SASL -> <something>
This seems like a lot of intermediaries, and a lot of potential "breaking"
points. I wonder if there isn't any way to just cut the middle man out, so to speak, and
have OpenLDAP talk directly to a RADIUS server, eliminating the other layers inbetween:
OpenLDAP -> RADIUS (on 3rd party token server)
Perhaps a password scheme like:
{RADIUS}user@radius-server
No. We really really don't like new password schemes.
I've worked with RADIUS before, and it's not all that bad from a client
implementation perspective, especially if you ignore the challenge/response
part of the protocol (which most simple authentication services seem to do).
Or should I just shut up and use the first method? :)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Tim Gustafson [email protected]
Baskin School of Engineering 831-459-5354
UC Santa Cruz Baskin Engineering 317B
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
