[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP and dynalogin (two-factor auth with HOTP)

To: openldap-technical@openldap.org
Subject: OpenLDAP and dynalogin (two-factor auth with HOTP)
From: Daniel Pocock <daniel@pocock.com.au>
Date: Thu, 08 Mar 2012 21:10:30 +0100
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.16) Gecko/20110702 Iceowl/1.0b1 Icedove/3.0.11


Some time ago I created the dynalogin ( http://www.dynalogin.org )
solution for two-factor authentication.

I'm just contemplating how to make it easier to integrate, and making it
convenient to use with OpenLDAP seems like a good strategy: can anyone
comment on that?

The initial thoughts that I have about the subject:

- SASL based solution (dynalogin has digest capability already, so it
could be adapted for SASL PLAIN or DIGEST-MD5)

- should not prevent password logins (user should be able to use either
password or HOTP code)

- should enable people to use it indirectly (e.g. if someone already has
pam_ldap working, they should be able to add dynalogin to their OpenLDAP
server and get immediate benefit)

- use cases: UNIX login, high-security webmail login, VPN and OpenID
provider backed by OpenLDAP

I know that SASL already supports OTP, but that is not HOTP, it is OPIE
(or S/Key) RFC 2289:
http://tools.ietf.org/html/rfc2289

whereas HOTP is RFC 4226:
http://www.ietf.org/rfc/rfc4226.txt

HOTP is considered more secure and more widely implemented.

Follow-Ups:
- Re: OpenLDAP and dynalogin (two-factor auth with HOTP)
  - From: Howard Chu <hyc@symas.com>
- Re: OpenLDAP and dynalogin (two-factor auth with HOTP)
  - From: Dimitri <mitya@cargosoft.ru>

Prev by Date: Re: multi-master syncrepl with sasl/gssapi authentication
Next by Date: fw: multimaster
Index(es):
- Chronological
- Thread