I have also been researching two-factor token support in LDAP recently. What I found depressed me : other than RSA with Novell, there is no, repeat NO support for using centralized LDAP authentication with these things. The vendors will often mention LDAP, but when they do it's as a management database for their own proprietary authenciation service, not as a way to use LDAP for the actual authentication itself. I did see a general obsession with PAM, I suspect because it's a handy way to insert these mechanisms underneath Unix for terminal login. Same deal with RADIUS, presumably because that allows the vendors to check the 'VPN' checkbox. But there seems to be no general purpose 'put my two factor thing underneath my corporate LDAP authentication service' solution (other than the aforementioned Novell/RSA product). Not even for Active Directory. Because there is some PAM support from the vendors, providing a PAM proxy/passthrough path under the LDAP server does turn out to be the most expedient option. SASL would certainly be better, but I get the impression that the token vendors haven't heard of SASL yet. They don't seem to think in terms of general purpose mechanism, but rather along the lines of 'ok how do we make our token work for application X?' (and they've provided solutions for the top N popular applications where N is a small positive integer, and called it good).
