Hi Hugh, Am 04.08.14 01:03, schrieb Hugh Irvine: > > There is an example of how to do this sort of thing in: > > goodies/digipassStatic.txt and goodies/digipassStatic.cfg
Thanks for the pointer. That looks very helpful. Of course SQLTOTP/SQLHOTP will still need to have the username along with the OTP secret in their respective SQL tables, which kind of defeats the purpose of having Active Directory as the only source of user management (as requested by my client), but I think I'm going to solve this by storing the hex representation of the OTP secret in an unused Active Directory LDAP attribute of the user account (such as "employeeNumber", that allows me to get away without an AD schema extension), then I'll implement a small script that uses ldapsearch to fetch all AD users below a given OU that have the employeeNumber field set and belong to some "OTP-Login" group in AD and the fetched username and matching OTP secret (from the employeeNumber attribute) will be stored in the SQLTOTP table if not already present. That way I wont need to create every user twice, once in AD and then again in the SQLTOTP table. Every once in a while a garbage collection script would run that removes users from the SQLTOTP table that are no longer present in AD. I think that should do the trick. Thanks again! Regards, --Tom _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
