There are set of applications which perform AD authentication. We want to enable custom 2FA for these applications. Constraint is you cannot change / modify source of these applications.
1. Implement OpenLDAP
2. Configure openLDAP as LDAP proxy
3. Modify OpenLDAP to provide API hooks to initiate 2FA
1. User opens application and enter's her credentials
2. Applications are configured to point to OpenLDAP instead of AD
3. OpenLDAP performs AD authentication with windows AD
4. On successful authentication it will initiate 2FA by calling a webservice (Async Call)
5. Expose a callback URL - openLDAP will receive success/ failure
6. If success return to user with successful authentication.