On 01/31/2013 04:34 AM, Petr Spacek wrote: > On 30.1.2013 05:35, Dmitri Pal wrote: >> Hello, >> >> We started to shape a page for the OTP prototyping work we are doing. >> It is work in progress but it has enough information to share and >> discuss. >> http://freeipa.org/page/V3/OTP >> >> Comments welcome! > > I gave it a quick look. Generally, the core seems correct to me. I > have only nitpicks: > > I see big amount of new ipa* specific attributes. > > How other OTP solutions store tokens/configuration? Is there any > standard/semi-standard LDAP schema with attributes describing tokens?
No. Not that we are aware of. > > MIT KDC has own ("native") LDAP driver. Which they do not like and do not want to do more with it. We effectively wrote our own. > It would be nice to coordinate OID allocation and schema definition > with MIT and share as much attributes as possible. Do they plan to > support OTP configuration in LDAP? (I don't see any note about LDAP > support in http://k5wiki.kerberos.org/wiki/Projects/OTPOverRADIUS .) They do not plan. And we do not plan to extend the driver. This is the reason for the current design. > > Is the author of > https://fedoraproject.org/wiki/Features/EnterpriseTwoFactorAuthentication > aware of our effort? No I need to reach out to him. > > What about re-using http://www.dynalogin.org/ server for TOTP/HOTP > implementation (rather than writing own OTP-in-389 implementation)? I > haven't looked to the dynalogin code ... The TOTP/HOTP algorithm is very simple there is really no much to reuse. > > Could be (old) draft "SASL and GSS-API Mechanism for Two Factor > Authentication based on a Password and a One-Time Password (OTP): > CROTP" from > http://tools.ietf.org/html/draft-josefsson-kitten-crotp-00 interesting > for us (in future)? Is it worth to resurrect this effort? > Not sure. We will see. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-devel mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-devel