Hi there,

I need an LDAP server capable of authenticating used password-attached
OTP using OATH HOTP algorithm ('HOTP - Wikipedia, the free encyclopedia'
(http://en.wikipedia.org/wiki/HOTP)) as described in 'RFC 4226 - HOTP:
An HMAC-Based One-Time Password Algorithm'
(http://tools.ietf.org/html/rfc4226). The solution must be implemented
directly in the directory server to eliminate the need to have
additional cluster of OTP servers because in fact there are no reasons
to have separate OTP server, there are only reasons not to have it (it
makes the whole solution too complicated a brings unacceptable
additional risks because the OTP cluster needs to sepearately solve many
tasks that are already solved in the directory cluster, e.g. replication
and HA).

The idea seems quite simple to implement, the only change needed to do
this is to extend the password-checking logic to split the received
password with attachet OTP of fixed length to the password and OTP and
separately check each of these.

The best solution would most probably be to have the build-in NMAS
password-checking method (0x7) support password attached OTP (all that's
needed to do this is to have two additional per-user attributes
containing the shared secret and sequence counter, a few other
container-level attributes for common settings (OTP length, look-ahead
synchronization window size), and a little code that will split the OTP
from the password, check it and update the counter on success.
Unfortunatelly there seems to be no support for this in current versions
of eDirectory and there's no indicaton that this support is to be added
in future versions.

I've investigated the possibility of adding password attached OTP
support to eDirectory using NMAS, but so far it seems to be impossible,
because the LDAP auth seems to be an NMAS client supporting only NMAS
methods 0x7 (the NMAS method to check a password called NDS for some
reason) and 0x0 (unable to find out what's that), while there's no way
to make a LSM supporting these methods - an LSM with method ID 0x0
cannot be installed, while an LSM providing method ID 0x7 seems to
override everything but the method's code (installing such an LSM can
change method description, vendor, grade and other properties, but the
original code - LSM00000007 from libnmas.so - is still in use, LSM's
LSM00000007 is never called). Overriding the default password-checking
method also seems to be quite a bad idea considering that one would
either have to reimplement all its undocumeted features (password
expiration, intruder detection) or replace them with much simpler
password checking implementaton.

Is there some way to make the LDAP NMAS client support other methods
than 0x7?

And if the answer is yes, is it possible to call other login methods
from a module-provided login method (e.g. routing LDAP auth to method
LSM0000000x which wil just check the OTP checking, store the password
without OTP using MAF_PutAttribute(mh, NMAS_AID_PASSWORD, ...) and then
call original LSM00000007 to check the password)?

Or if the answer is no, is there some other way to make eDirectory
support OATH HOTP for LDAP authentication without the need to have a
separate OTP server?

vblaha's Profile: http://forums.novell.com/member.php?userid=69207
View this thread: http://forums.novell.com/showthread.php?t=403674