Howard Chu <[email protected]> wrote:
>Daniel Pocock wrote: >> Some time ago I created the dynalogin ( http://www.dynalogin.org ) >> solution for two-factor authentication. >> >> I'm just contemplating how to make it easier to integrate, and making >it >> convenient to use with OpenLDAP seems like a good strategy: can >anyone >> comment on that? > >This is not the place to make that happen. LDAP uses SASL as its >extensible >authentication mechanism, you should be looking there. >> >> The initial thoughts that I have about the subject: >> >> - SASL based solution (dynalogin has digest capability already, so it >> could be adapted for SASL PLAIN or DIGEST-MD5) > >Yes, provide a Cyrus-SASL plugin implementing your mechanism and then >it will >immediately be usable in OpenLDAP and a number of other software >packages. I'm familiar with SASL and how it is accessed with ldapsearch, etc My reasons for raising the subject with OpenLDAP users are - many other apps don't do SASL directly, they use an LDAP search or sometimes a bind to validate a log on, so I'm more likely to come across potential use cases here - I'm curious about how useful the SASL plugin will be without modifying such apps, and any practical suggestions about how to support use cases that I may not have anticipated - there seem to be some choices, e.g. I could just offer the PLAIN mechanism and the HOTP token is submitted as a password, or it could be offered as some other arbitrary mechanism - does that choice impact OpenLDAP users significantly?
