linotp.controllers.admin module

admin controller - interfaces to administrate LinOTP

class linotp.controllers.admin.AdminController(*args, **kw)[source]

Bases: linotp.lib.base.BaseController

The linotp.controllers are the implementation of the web-API to talk to the LinOTP server. The AdminController is used for administrative tasks like adding tokens to LinOTP, assigning tokens or revoking tokens. The functions of the AdminController are invoked like this

https://server/admin/<functionname>

The functions are described below in more detail.

assign()[source]
method:
admin/assign
description:
assigns a token to a user, i.e. a binding between the token and the user is created.
arguments:
  • serial - required - the serial number / identifier of the token
  • user - required - login user name
  • pin - optional - the pin of the user pass
returns:
a json result with a boolean
“result”: true
exception:
if an error occurs an exception is serialized and returned
check_serial()[source]
method
admin/check_serial
description:
This function checks, if a given serial will be unique. It returns True if the serial does not yet exist and new_serial as a new value for a serial, that does not exist, yet
arguments:
serial - required- the serial to be checked
returns:
a json result with a new suggestion for the serial
exception:
if an error occurs an exception is serialized and returned
checkstatus()[source]

show the status either

  • of one dedicated challenge
  • of all challenges of a token
  • of all challenges belonging to all tokens of a user
Parameters:
  • transactionid/state – the transaction id of the challenge
  • serial – serial number of the token - will show all challenges
  • user
Returns:

json result of token and challenges

copyTokenPin()[source]
method:
admin/copyTokenPin
description:
copies the token pin from one token to another
arguments:
  • from - required - serial of token from
  • to - required - serial of token to
returns:
a json result with a boolean
“result”: true
exception:
if an error occurs an exception is serialized and returned
copyTokenUser()[source]
method:
admin/copyTokenUser
description:
copies the token user from one token to another
arguments:
  • from - required - serial of token from
  • to - required - serial of token to
returns:
a json result with a boolean
“result”: true
exception:
if an error occurs an exception is serialized and returned
disable()[source]
method:
admin/disable
description:
disables a token given by serial or all tokens of a user
arguments:
  • serial - optional
  • user - optional
returns:
a json result with a boolean
“result”: true
exception:
if an error occurs an exception is serialized and returned
dropsession()[source]
enable()[source]
method:
admin/enable
description:
enables a token or all tokens of a user
arguments:
  • serial - optional
  • user - optional
returns:
a json result with a boolean
“result”: true
exception:
if an error occurs an exception is serialized and returned
getSerialByOtp()[source]
method:
admin/getSerialByOtp
description:
searches for the token, that generates the given OTP value. The search can be restricted by several critterions
arguments:
  • otp - required. Will search for the token, that produces this OTP value
  • type - optional, will only search in tokens of type
  • realm - optional, only search in this realm
  • assigned - optional. 1: only search assigned tokens, 0: only search unassigned tokens
returns:
a json result with the serial
exception:
if an error occurs an exception is serialized and returned
getTokenOwner()[source]

provide the userinfo of the token, which is specified as serial

getsession()[source]

This generates a session key and sets it as a cookie set_cookie is defined in python-webob:

def set_cookie(self, key, value='', max_age=None,
       path='/', domain=None, secure=None, httponly=False,
       version=None, comment=None, expires=None, overwrite=False):
init()[source]
method:
admin/init
description:
creates a new token.
arguments:
  • otpkey (required) the hmac Key of the token

  • genkey (required) =1, if key should be generated.

    We either need otpkey or genkey

  • keysize (optional) either 20 or 32. Default is 20

  • serial (required) the serial number / identifier of the token

  • description (optional)

  • pin (optional) the pin of the user pass

  • user (optional) login user name

  • realm (optional) realm of the user

  • type (optional) the type of the token

  • tokenrealm (optional) the realm a token should be put into

  • otplen (optional) length of the OTP value

  • hashlib (optional) used hashlib sha1 oder sha256

ocra arguments:

for generating OCRA Tokens type=ocra you can specify the following parameters:

  • ocrasuite (optional) - if you do not want to use the default

    ocra suite OCRA-1:HOTP-SHA256-8:QA64

  • sharedsecret (optional) if you are in Step0 of enrolling an

    OCRA token the sharedsecret=1 specifies,

    that you want to generate a shared secret

  • activationcode (optional) if you are in Step1 of enrolling

    an OCRA token you need to pass the

    activation code, that was generated in the QRTAN-App

qrtoken arguments:

for generating QRTokens type=qr you can specify the following parameters

  • hashlib (optional) the hash algorithm used in the mac

    calculation (sha512, sha256, sha1). default is sha256

returns:
a json result with a boolean
“result”: true
exception:
if an error occurs an exception is serialized and returned
loadtokens()[source]
method:
admin/loadtokens
description:
loads a whole token file to the server
arguments:
  • file - the file in a post request
  • type - the file type.
  • realm - the target real of the tokens
returns:
a json result with a boolean
“result”: true
exception:
if an error occurs an exception is serialized and returned
logout()[source]
losttoken()[source]
method:
admin/losttoken
description:
creates a new password token and copies the PIN and the user of the old token to the new token. The old token is disabled.
arguments:
  • serial - serial of the old token
  • type - optional, password, email or sms
  • email - optional, email address, to overrule the owner email
  • mobile - optional, mobile number, to overrule the owner mobile
returns:
a json result with the new serial an the password
exception:
if an error occurs an exception is serialized and returned
remove()[source]
method:
admin/remove
description:
deletes either a certain token given by serial or all tokens of a user
arguments:
  • serial - optional
  • user - optional
returns:
a json result with a boolean
“result”: true
exception:
if an error occurs an exception is serialized and returned
reset()[source]
method:
admin/reset
description:
reset the FailCounter of a Token
arguments:
user or serial - to identify the tokens
returns:
a json result with a boolean
“result”: true
exception:
if an error occurs an exception is serialized and returned
resync()[source]
method:
admin/resync - resync a token to a new counter
description:
this function resync the token, if the counter on server side is out of sync with the physica token.
arguments:
  • serial - serial or user required
  • user - s.o.
  • otp1 - the next otp to be found
  • otp2 - the next otp after the otp1
returns:
a json result with a boolean
“result”: true
exception:
if an error occurs an exception is serialized and returned
set()[source]
method:
admin/set
description:
this function is used to set many different values of a token.
arguments:
  • serial - optional
  • user - optional
  • pin - optional - set the OTP PIN
  • MaxFailCount - optional - set the maximum fail counter of a token
  • SyncWindow - optional - set the synchronization window of the token
  • OtpLen - optional - set the OTP Lenght of the token
  • CounterWindow - optional - set the counter window (blank presses)
  • hashlib - optioanl - set the hashing algo for HMAC tokens. This can be sha1, sha256, sha512
  • timeWindow - optional - set the synchronize window for timebased tokens (in seconds)
  • timeStep - optional - set the timestep for timebased tokens (usually 30 or 60 seconds)
  • timeShift - optional - set the shift or timedrift of this token
  • countAuthSuccessMax - optional - set the maximum allowed successful authentications
  • countAuthSuccess - optional - set the counter of the successful authentications
  • countAuth - optional - set the counter of authentications
  • countAuthMax - optional - set the maximum allowed authentication tries
  • validityPeriodStart - optional - set the start date of the validity period. The token can not be used before this date
  • validityPeriodEnd - optional - set the end date of the validaity period. The token can not be used after this date
  • phone - set the phone number for an SMS token
returns:
a json result with a boolean
“result”: true
exception:
if an error occurs an exception is serialized and returned
setPin()[source]
method:
admin/set
description:
This function sets the smartcard PINs of a eTokenNG OTP. The userpin is used to store the mOTP PIN of mOTP tokens! !!! For setting the OTP PIN, use the function /admin/set!
arguments:
  • serial - required
  • userpin - optional: store the userpin
  • sopin - optional: store the sopin
returns:
a json result with a boolean
“result”: true
exception:
if an error occurs an exception is serialized and returned
show()[source]
method:
admin/show
description:
displays the list of the available tokens
arguments:
  • serial - optional: only this serial will be displayed

  • user - optional: only the tokens of this user will be

    displayed. If the user does not exist, linotp will search tokens of users, who contain this substring.

    TODO: This can be very time consuming an will be

    changed in the next release to use wildcards.

  • filter - optional: takes a substring to search in table token

    columns

  • viewrealm - optional: takes a realm, only the tokens in this

    realm will be displayed

  • realm - - optional: alias to the viewrealm

  • sortby - optional: sort the output by column

  • sortdir - optional: asc/desc

  • page - optional: reqeuest a certain page

  • pagesize- optional: limit the number of returned tokens

  • user_fields - optional: additional user fields from the userid resolver of the owner (user)

  • outform - optional: if set to “csv”, than the token list will be given in CSV

returns:
a json result with: { “head”: [], “data”: [ [row1], [row2] .. ] }
exception:
if an error occurs an exception is serialized and returned
testresolver()[source]
method:
admin/testresolver
description:
This method tests a useridresolvers configuration
arguments:
  • type - “LDAP”: depending on the type there are other parameters:
    • “SQL”
  • LDAP:
    • BINDDN
    • BINDPW
    • LDAPURI
    • TIMEOUT
    • LDAPBASE
    • LOGINNAMEATTRIBUTE
    • LDAPSEARCHFILTER
    • LDAPFILTER
    • USERINFO
    • LDAPSEARCHFILTER
    • SIZELIMIT
    • NOREFERRALS
    • CACERTIFICATE
  • SQL:
    • Driver
    • Server
    • Port
    • Database
    • User
    • Password
    • Table
returns:
a json result with a boolean
“result”: true
exception:
if an error occurs an exception is serialized and returned
tokenrealm()[source]
method:
admin/tokenrealm - set the realms a token belongs to
description:
sets the realms of a token
arguments:
  • serial - required - serialnumber of the token
  • realms - required - comma seperated list of realms
unassign()[source]
method:
admin/unassign - remove the assigned user from the token
description:
unassigns a token from a user. i.e. the binding between the token and the user is removed
arguments:
  • serial - required - the serial number / identifier of the token
  • user - optional
returns:
a json result with a boolean
“result”: true
exception:
if an error occurs an exception is serialized and returned
userlist()[source]
method:
admin/userlist - list all users
description:
lists the user in a realm
arguments:
  • <searchexpr> - will be retrieved from the UserIdResolverClass
  • realm - a realm, which is a collection of resolver configurations
  • resConf - a destinct resolver configuration
  • page - the number of page, which should be retrieved (optional)
  • rp - the number of users per page (optional)
returns:
a json result with a boolean
“result”: true
exception:
if an error occurs an exception is serialized and returned
linotp.controllers.admin.iterate_users(user_iterators)[source]

build a userlist iterator / generator that returns the user data on demand

Parameters:user_iterators – list of tuple (userlist iterators, resolver descr)
Returns:generator of user data dicts (yield)