[RADIATOR] Combining AuthSQLTOTP with other authication sources
Thomas Neumann
tn_radiator at net-guru.org
Mon Aug 4 02:13:01 CDT 2014
Hi Hugh,
Am 04.08.14 01:03, schrieb Hugh Irvine:
>
> There is an example of how to do this sort of thing in:
>
> goodies/digipassStatic.txt and goodies/digipassStatic.cfg
Thanks for the pointer. That looks very helpful.
Of course SQLTOTP/SQLHOTP will still need to have the username along
with the OTP secret in their respective SQL tables, which kind of
defeats the purpose of having Active Directory as the only source of
user management (as requested by my client), but I think I'm going to
solve this by storing the hex representation of the OTP secret in an
unused Active Directory LDAP attribute of the user account (such as
"employeeNumber", that allows me to get away without an AD schema
extension), then I'll implement a small script that uses ldapsearch to
fetch all AD users below a given OU that have the employeeNumber field
set and belong to some "OTP-Login" group in AD and the fetched username
and matching OTP secret (from the employeeNumber attribute) will be
stored in the SQLTOTP table if not already present. That way I wont need
to create every user twice, once in AD and then again in the SQLTOTP
table. Every once in a while a garbage collection script would run that
removes users from the SQLTOTP table that are no longer present in AD. I
think that should do the trick.
Thanks again!
Regards,
--Tom
More information about the radiator
mailing list