Ondřej Kuzník wrote: > On Tue, May 15, 2018 at 07:06:41PM +0200, Michael Ströder wrote: >> Douglas Duckworth wrote: >>> Does OpenLDAP support use of one time passwords or 2FA for the Manager >>> account? >> >> There are several solutions: >> >> 1. contrib/slapd-modules/passwd/totp/ >> A proof of concept overlay which AFAICS replaces checking a normal password >> by checking a generated TOTP value. So not really 2FA. > > We have been looking into how to best make it an actual 2FA solution, > though.
Did you consider to use OATH-LDAP's schema? That's the most flexible way of doing it which is appreciated. Furthermore I'm very paranoid regarding security of shared secrets. In current OATH-LDAP they are asymmetrically encrypted with only an *external* component having access to the private key(s). It would be nice to join forces developing something which is more integrated with OpenLDAP though. Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
