[Fedora-directory-users] PAM passthru questions and SecureID

[David Boreham]

I have also been researching two-factor token support in LDAP recently.
What I found depressed me : other than RSA with Novell, there is
no, repeat NO support for using centralized LDAP authentication
with these things. The vendors will often mention LDAP, but
when they do it's as a management database for their own
proprietary authenciation service, not as a way to use
LDAP for the actual authentication itself.

I did see a general obsession with PAM, I suspect because it's
a handy way to insert these mechanisms underneath Unix for
terminal login. Same deal with RADIUS, presumably because
that allows the vendors to check the 'VPN' checkbox.

But there seems to be no general purpose 'put my two factor
thing underneath my corporate LDAP authentication service'
solution (other than the aforementioned Novell/RSA product).
Not even for Active Directory.

Because there is some PAM support from the vendors,
providing a PAM proxy/passthrough path under the LDAP
server does turn out to be the most expedient option.

SASL would certainly be better, but I get the impression
that the token vendors haven't heard of SASL yet.
They don't seem to think in terms of general purpose
mechanism, but rather along the lines of 'ok how
do we make our token work for application X?'
(and they've provided solutions for the top N
popular applications where N is a small positive
integer, and called it good).