https://bugs.openldap.org/show_bug.cgi?id=10169
--- Comment #2 from Bastian <[email protected]> --- Thanks for you comment. I'd like to add, that our site would be very interested in this feature. Currently, we rely on the pw-totp module from contrib. And we would be very happy to convert to the supported overlay. In our case it's a core element of the design, that there is no keyboard-interactive userPassword available during authentication. The 1FA is done by sshd pubkey authentication. The 2FA is a subsequent PAM module which does an ldap bind call against the entries beneath ou=totp. Picking up your thought about an empty userPassword: Maybe it is possible to introduce a password schema like `{OTPONLY}` to selectively set entries in the otp only authentication mode. -- You are receiving this mail because: You are on the CC list for the issue.
