We want to achieve another level of authentication in an LDAP environment. Now, currently we have a couple of applications getting authenticated though LDAP server. It is OpenLDAP server in our case, but we want our solution to be AS LDAP VERSION IDNEPENDENT as possible. Now, so I send my suer name an dpwd to OpenLDAP and it gets authenticated. Now suppose I send two passwords in my password field. One password is the static password stored in OpenLDAP and the otehr password is some dynamic poassword. SO my final password becomes -
Dynamic Password(Fixed Length---say 8 digits)+Static LDAP Password
I want a solution in which the Dynamic and static passwords are split into two password. The user name and LDAP pwd are sent to OpenLDAP and the Dynamic pwd and User Name are sent to another authentication server by a web service call. The web service call and the autehntication server are OUT o f scope of thsi project. We already have that ready with us. The solution will then read the outputs for both autehntications, the LDAP and the Web Seervice response and based on that grant access.
Now I have heard of solutions like PAM, SASL to be useful in LDAP, but I want something that requires minimum to NO change at the client end. The client application will just send the credentials to the LDAP as it used to, but the propsoed solution will take care of everything else...
We are ready to sue any technology/tool proposed. We need a solution architect with an excellent experience background. A similar project done in the past is a tremendous benefit.