I authenticate the Nuxeo users against an LDAP server (https://www.freeipa.org) which is essentially the Red Hat 389-directory server. The configuration of Nuxeo is done as described in https://doc.nuxeo.com/nxdoc/using-a-ldap-directory/ whereas I used the extension point https://explorer.nuxeo.com/nuxeo/site/distribution/Nuxeo%20Platform-2021/viewExtensionPoint/org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory--servers

Everything works fine as expected with static passwords.

As an option the LDAP server can manage one time passwords (OTPs), which are 6 or 8 digits from a hardware or software token. If a user is configured for OTPs, the complete password is combined from the static part + the OTP, e.g. “secretpw47124812”.

This works for many applications (e.g. email clients, web logins etc), because the applications even are not aware that the combined password has a changing part every 30 seconds.

In Nuxeo, the login process surprisingly tries to bind 2 times to the LDAP server with the same password, which by definition succeeds in the first try, but the second try with the already used OTP will be rejected. Here is a sample output of the log of the LDAP server. The “err=49” indicates the wrong password:

[31/Mar/2022:16:38:53.599209484 +0200] conn=1176 op=0 BIND dn="uid=testuser,cn=users,cn=accounts,dc=mysld,dc=tld" method=128 version=3  
[31/Mar/2022:16:38:53.657296411 +0200] conn=1176 op=0 RESULT err=0 tag=97 nentries=0 wtime=0.000119684 optime=0.058088837 etime=0.058201579 dn="uid=testuser,cn=users,cn=accounts,dc=mysld,dc=tld"  
[31/Mar/2022:16:38:53.658287597 +0200] conn=1176 op=1 BIND dn="uid=testuser,cn=users,cn=accounts,dc=mysld,dc=tld" method=128 version=3  
[31/Mar/2022:16:38:53.659828177 +0200] conn=1176 op=1 RESULT err=49 tag=97 nentries=0 wtime=0.000057710 optime=0.001546812 etime=0.001602792  

So my questions is: Why is Nuxeo trying to bind 2 times? How can I avoid this?