As per my post: checkpassword. You can then use one password on Mondays, Wednesdays, and Fridays, alternate passwords on Tuesdays and Thursday fetched from a rot-13 database, and only from prime numbered IP addresses on weekends, if that's what you want.
Having read the wiki page on checkpassword, I am unsure how this would work with an ldap backend.
Could you elaborate on that?
You are essentially writing your own backend by taking over authentication. You'll be accepting user/password inputs into your checkpassword executable, then use the LDAP API (or some other system that will do it for you) to authenticate. (You can Google around for code snippets.) You'll have direct control over all aspects of authentication (if/when/where/etc) that a generic backend can't provide.
You can choose do implement using shell/PERL/etc script, or compile to executable from C sources. It's more work, but if you need to do everything on your wish list, I can't see any eaiser option.
One of the drawbacks is that a working password depends on both time and source address, which will be adversely affect performance on a busy server as authentication data cannot be cached.
Joseph Tam jtam.home@gmail.com