Currently we are using SimpleSAMLphp for SSO solution in our php application with OpenLDAP as a auth datasource and it's working fine.
Now we need to implement 2FA in the login process, So I wanted to know if there is any inbuilt support for 2FA in OpenLDAP.
I have found SimpleSAMLphp allows 2FA using PrivacyIDEA module, But it uses it's own mechanism for totp generation and validation but we require everything handled in SimpleSAMLphp and OpenLDAP, Is it even possible?
It looks like OpenLDAP does support TOTP (most commonly referred to as Google Authenticator) with a slapd module.
The module for OpenLDAP can be found here. Article describing it can be found here. The documentation for the module seems a bit light but the module itself is small and fairly readable.
privacyIDEA can read your users and all needed attributes from OpenLDAP. You can define an attribute mapping to read any arbitrary attribute from OpenLDAP.
In privacyIDEA you can define a policy, that requires the user to enter the LDAP password plus the OTP value.
Then in simpleSAMLphp you can define the authsource to be privacyIDEA. This way you the user can authenticate with his LDAP password and the OTP at the IdP. If you want to, you can use the paramter otpextra to even use a two step dialog, where the user first needs to enter his LDAP password and then his OTP value.
Use the mapping in the SAML privacyIDEA module or authproc filters to further map your attributes.
As an alternative you could also use the privacyIDEA LDAP Proxy to still use the ldap:ldap authsource of simpleSAMLphp but "enrich" this with an OTP value.
In my Æ-DIR I'm using my own solution OATH-LDAP which adds the token data as LDAP entries. Currently the validator only supports counter-based HOTP (see RFC 4226). It can be used e.g. with yubikey and there's also an enrollment script available for this.
Unfortunately there's currently no documentation available on how to use OATH-LDAP stand-alone in an arbitrary OpenLDAP installation.
Let me know if you want to dig into this.