feature: ldap identity store domain MFA

[rismoney]

A clear and concise description of what you want the system to do.

Multi-Factor Authentication is currently documented as limited to local identity store.

What are the Caddyfile directives that need to be added.

Ability to match realm as defined in ldap identity store. Not sure if this is possible today based on docs. ex:

 transform user {
        match realm my.ldap.domain
        require mfa
}

[greenpau]

@rismoney , this will be a feature request. In short, you could store MFA secrets, but you either have to use existing custom fields or extend schema.

[greenpau]

Alternatively, we could use local store's capability for MFA.

[rismoney]

Using the local store's capability for MFA might be easier upon first thoughts...

Using attributes/custom fields, particularly for secrets requires a bunch of extra steps, to mark as confidential. Then you need a inheritance model to properly entitle access them within the directory (for admin purposes) plus the bind account. Generally speaking most attributes in the regular schema are read only by everyone. This isn't hard to do per se, but becomes kinda opaque and muddy after implementation. I do recall there being extensionAttribute1-15 in AD, but not sure they are adequate/appropriate for storing secrets...