========================= Administrative Interfaces ========================= .. note:: To every management controller you can add the parameter ``httperror`` followed by an HTTP error code. If LinOTP would return HTTP 200/OK with ``status: false`` in the JSON response indicating an internal error then LinOTP will instead return a e.g. HTTP 500 error code. Admin Interface ---------------- Managing tokens can be performed via an HTTPs Interface just like the authentication via /validate/check and /validate/simplecheck. The main API is located at the controller /admin. There you can find functions like this: * /admin/init: Enroll token * /admin/enable: Enable token * /admin/disable: Disable token * /admin/show: List tokens * /admin/delete: Delete tokens Other controllers are * /manage: provides the Web UI. * /system: provides the functions to configure the LinOTP server. * /license: provides the functions to set and get license information. * /audit: provides the functions for the audit trail. Orphanced tokens ~~~~~~~~~~~~~~~~ .. index:: Orphaned tokens Orphaned tokens are tokens, that are still assigned to the user, but where the user object was deleted from the user database. Using the method ``/admin/show`` you can also view such orphaned tokens by calling the method:: /admin/show?user='/:no%20user%20info:/' You can also find tokens that have no users or tokens that are assigned to no realm:: /admin/show?user='' /admin/show?realm='' Admin Controller ---------------- .. autoclass:: linotp.controllers.admin.AdminController :members: System Controller ----------------- .. autoclass:: linotp.controllers.system.SystemController :members: License Controller ------------------ .. autoclass:: linotp.controllers.license.LicenseController :members: Session protection ------------------ Starting with LinOTP 2.4.1 the API provides an additional session protection. This means all functions that change data need to pass an additional session parameter in the URL parameters like this: https://linotpserver/admin/disable?serial=123456&session=ea49db685b8e7d2ff18ac50a57e9903630f0ed03e2cbea3b96305b47c5cda8c5 If the session is not passed the server will respond with a 401 Not authenticated. To get such a session, the client needs to send a session request: https://linotpserver/admin/getsession This will set a cookie in the clients cookie store, which also needs to be passed with every request. Thus the clients needs to pass the cookie and the session parameter. The server will compare these two values and only perform the required action if the session values are the same. .. _disable_session_protection: Disabling session protection ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ You may disable session protection. Please note that you should not do this when accessing LinOTP with a web browser. You should only disable session protection if you fully understand what you are doing. In ``/etc/linotp2/linotp.ini`` add the following line to the ``DEFAULT`` section:: linotpNoSessionCheck = 10.1.2.3, 192.168.0.0/24 You can add any IP address or subnet in CIDR notation seperated by comma.