Moving the data needed to validate two-factor auth for the LDAP accounts from the labswiki (wikitech) database to LDAP itself would make it easier for services such as Horizon and the upcoming Tool Labs management console to provide strong authentication protections.
Several things would be needed:
- LDAP schema for storage
- LDAP acls to restrict read of TOTP secrets and one-time keys
- Updates to OATHAuth to optionally read/store data in LDAP directory using schema
- Updates to Horizon TOTP plugin to read data in LDAP directory
Optionally, all TOTP handling could be moved to a dedicated service and the current wikitech and Horizon integrations updated to work with that service.