Re: OpenLDAP and dynalogin (two-factor auth with HOTP)

[Daniel Pocock <daniel@pocock.com.au>]

Howard Chu <hyc@symas.com> wrote:

>Daniel Pocock wrote:
>> Some time ago I created the dynalogin ( http://www.dynalogin.org )
>> solution for two-factor authentication.
>>
>> I'm just contemplating how to make it easier to integrate, and making
>it
>> convenient to use with OpenLDAP seems like a good strategy: can
>anyone
>> comment on that?
>
>This is not the place to make that happen. LDAP uses SASL as its
>extensible 
>authentication mechanism, you should be looking there.
>>
>> The initial thoughts that I have about the subject:
>>
>> - SASL based solution (dynalogin has digest capability already, so it
>> could be adapted for SASL PLAIN or DIGEST-MD5)
>
>Yes, provide a Cyrus-SASL plugin implementing your mechanism and then
>it will 
>immediately be usable in OpenLDAP and a number of other software
>packages.

I'm familiar with SASL and how it is accessed with ldapsearch, etc

My reasons for raising the subject with OpenLDAP users are

- many other apps don't do SASL directly, they use an LDAP search or sometimes a bind to validate a log on, so I'm more likely to come across potential use cases here

- I'm curious about how useful the SASL plugin will be without modifying such apps, and any practical suggestions about how to support use cases that I may not have anticipated

- there seem to be some choices, e.g. I could just offer the PLAIN mechanism and the HOTP token is submitted as a password, or it could be offered as some other arbitrary mechanism - does that choice impact OpenLDAP users significantly?