TOTP Support about lldap HOT 7 OPEN

It's not currently supported, no, but as you have seen, it was taken into account when designing.

from lldap.

It would be a great feature.
Probably more fields are required fot TOTP:

• MfaType => TOTP, ...
• Algorithm (SHA1, SHA256, SHA512)
• Number of digits (e.g. 6 or 8 digits)
• Period (e.g. 30 seconds)

from lldap.

This would only be for logging in to LLDAP, right? Not using LLDAP as a storage for secrets for other TOTP logins.

In that case, we'd probably hardcode most of these parameters with safe defaults to simplify the implementation.

Note that I don't have any intent on implementing that right now, but contributions are welcome.

from lldap.

I'm thinking about something similar to slapo-otp,
where TOTOP is used in conjunction with the LDAP password for two-factor authentication.

from lldap.

Oh, I see what you mean: you want to provide a default, centralized TOTP for use in many applications. That's quite different from what I had in mind (TOTP limited to logging in to LLDAP in the web front-end).

Something that comes to mind, though: How do you provide the TOTP to LLDAP to validate? Especially through the LDAP interface. Most services do not implement that, and probably will not. How do you imagine the user experience?

from lldap.

Some years ago I created something similar for authenticating OpenVPN using password + TOTP.
The users enter as password: password + separator (space) + TOTP
The separtor was optional because the TOTP lengh is know, but our users always insert a space between the password and the TOTP :)
The autentication was done with a python script performing the autentication (with the password) on LDAP and the TOTP check with a local db.

from lldap.

Although it would technically work, it would be a hard flow to explain to users: there is no dedicated TOTP field, it doesn't play very well with password managers and so on. I feel that the use case is a bit too niche for LLDAP.

from lldap.