LinOTP documentation

Preface

By using LinOTP you decided to use a flexible, modern authentication system.

Congratulations on your choice!

LinOTP is a solution for authenticating with one time passwords. The runtime components of arxes-tolina LinOTP are available as source code, which gives you the possibility, to make your own adaption or to conduct code reviews on the software. LinOTP is originally based on GNU/Linux but as it is written in Python, it might also run on other operating systems.

arxes-tolina LinOTP is lean and very gentle on resources. It is scalable from small installations up to world-spanning, redundant enterprise installations.

This manual is divided into 5 main parts.

1. The LinOTP Management Guide describes the management of users, realms and tokens.

2. The LinOTP Installation Guide explains how to install LinOTP on different operating systems.

3. The Selfservice Portal shows the administrator how users are allowed to manage their own tokens.

4. The LinOTP Appliance Manual deals with the LinOTP Appliance. No matter if you are using the hardware appliance or the virtual appliance, here you can find how to set up and configure the appliance.

5. If you plan to adapt or extend LinOTP you can develop your own modules. How to do this is described in LinOTP Development Guide.

Getting Support

arxes-tolina GmbH provides Enterprise Support for LinOTP.

Refer to www.keyidentity.de for the available support options.

The LinOTP logo and the LinOTP Manuals and documentation, “LinOTP Management Guide”, “LinOTP Installation Guide”, “LinOTP User Guide”, “LinOTP Appliance Manual”, “LinOTP Module Development Guide” and “API documentation” are intellectual property and under the copyright of arxes-tolina GmbH and can not be used without permission.

• LinOTP Management Guide
  • 1. Introduction
    • 1.1. System Overview
    • 1.2. Components
    • 1.3. LinOTP core
    • 1.4. OTP Calculation
    • 1.5. UserIdResolver
    • 1.6. Authentication Modules
    • 1.7. Management Clients
    • 1.8. Features of different management clients
    • 1.9. Licenses
      • 1.9.1. LinOTP Server
      • 1.9.2. LinOTP Administration Clients (adminclients)
      • 1.9.3. LinOTP Management GUI
      • 1.9.4. LinOTP Authentication Connectors (authmodules)
      • 1.9.5. LinOTP User Connectors (UserIdResolver)
      • 1.9.6. LinOTP SMS Connectors
  • 2. Quickstart Guide
    • 2.1. What this guide is about
    • 2.2. Getting started - the Web UI
    • 2.3. UserIdResolvers
      • 2.3.1. Create UserIdResolver
    • 2.4. Create Realm
    • 2.5. Create Token
    • 2.6. Assign Token to User
    • 2.7. Test authentication procedure
  • 3. Configure Resolvers and Realms - The Details
    • 3.1. UserIdResolvers and Realms - The Concepts
      • 3.1.1. Authenticating with Realms and UserIdResolvers
    • 3.2. Configuring UserIdResolvers
      • 3.2.1. Configuring LDAP UserIdResolver
      • 3.2.2. Configuring SQL UserIdResolver
      • 3.2.3. Configuring Passwd (Flatfile) UserIdResolver
        • 3.2.3.1. Using /etc/passwd
        • 3.2.3.2. Using a separate file
    • 3.3. InternalSQLResolver
      • 3.3.1. Create InternalSQLResolver
      • 3.3.2. Change InternalSQLResolver
    • 3.4. Configuring Realms
  • 4. Supported tokens
    • 4.1. Tokens
      • 4.1.1. Hardware Tokens
      • 4.1.2. Soft Tokens
      • 4.1.3. Tokens for login and transaction security (challenge response)
        • 4.1.3.1. KeyIdentity QR Token
        • 4.1.3.2. KeyIdentity Push Token
      • 4.1.4. Challenge Response Tokens
      • 4.1.5. Special Tokens
    • 4.2. Recommended Mobile Apps
      • 4.2.1. Recommended HOTP Apps
        • 4.2.1.1. Apps for the iPhone
        • 4.2.1.2. Apps for Android
        • 4.2.1.3. Apps for the Windows Phone
      • 4.2.2. Recommended mOTP Apps
        • 4.2.2.1. Apps for iPhone
        • 4.2.2.2. Apps for Android
        • 4.2.2.3. Apps for Windows Phone
  • 5. Managing Tokens
    • 5.1. Tokentype Configuration
      • 5.1.1. Global - Default Settings
      • 5.1.2. OCRA Token - Default Settings
      • 5.1.3. OCRA2 Token - Default Settings
      • 5.1.4. QRToken - Default Settings
      • 5.1.5. RADIUS Token - Default Settings
      • 5.1.6. Remote Token - Default Settings
      • 5.1.7. TOTP Token - Default Settings
      • 5.1.8. Yubico Token - Default Settings
    • 5.2. Import tokens
      • 5.2.1. Importing tokens with the Web UI
        • 5.2.1.1. Importing PSKC files
        • 5.2.1.2. Importing OATH CSV files
        • 5.2.1.3. Importing Tagespasswort files
        • 5.2.1.4. Import Vasco DPX files
    • 5.3. Viewing users in certain realms
      • 5.3.1. Viewing users in the Web UI
    • 5.4. Viewing tokens in the WebUI
    • 5.5. Assign tokens
      • 5.5.1. Multiple tokens for a user
      • 5.5.2. Assign tokens using the Web UI
    • 5.6. Set OTP PIN
    • 5.7. Enrolling tokens
      • 5.7.1. Enroll eToken NG-OTP
      • 5.7.2. Enroll mOTP Token
      • 5.7.3. Enroll HOTP, TOTP and OCRA Tokens
      • 5.7.4. Enroll Static Password Token
      • 5.7.5. Enroll KeyIdentity Simple Pass Token
      • 5.7.6. Enroll SMS OTP / Mobile TAN
      • 5.7.7. Enroll Voice Token
      • 5.7.8. Enroll Remote Token
      • 5.7.9. Enroll Forwarding Token
      • 5.7.10. Enroll RADIUS Token
      • 5.7.11. Enroll KeyIdentity QR Token
      • 5.7.12. Enroll KeyIdentity Push Token
      • 5.7.13. Enroll QR-TAN Token
      • 5.7.14. Enroll YubiKeys
        • 5.7.14.1. Enrolling OATH/HOTP mode
        • 5.7.14.2. Enrolling Yubico mode
        • 5.7.14.3. Enrolling static mode
        • 5.7.14.4. Enrolling Cloud mode
        • 5.7.14.5. Enrolling Challenge Response mode
      • 5.7.15. Enroll E-Mail Token
    • 5.8. Manage tokens
      • 5.8.1. Unassign
      • 5.8.2. Remove
      • 5.8.3. Disable
      • 5.8.4. Reset fail counter
      • 5.8.5. Set Expiration
      • 5.8.6. Resync token
    • 5.9. FIDO U2F
      • 5.9.1. Overview
      • 5.9.2. Example for U2F with LinOTP
        • 5.9.2.1. Set up required policy
        • 5.9.2.2. U2F token enrollment
        • 5.9.2.3. Authentication with the assigned token
    • 5.10. Set token realm
    • 5.11. Token info
    • 5.12. Lost token
    • 5.13. Get serial by OTP
    • 5.14. Get OTP
    • 5.15. Users with no token
    • 5.16. UserIdResolver migration
  • 6. Policies
    • 6.1. Admin Policies
    • 6.2. Audit Policies
    • 6.3. Authentication Policies
      • 6.3.1. OTP PIN variants
      • 6.3.2. Authentication Passthrough
      • 6.3.3. Pass on no Token
      • 6.3.4. Challenge Response
      • 6.3.5. Forward Request to Remote Server
      • 6.3.6. Forward Request to Remote Server for User without Token only
      • 6.3.7. Setup KeyIdentity QR Token
        • 6.3.7.1. Call back Pairing URL for Activation of KeyIdentity QR Tokens
        • 6.3.7.2. Call back Challenge URL for Authentication with KeyIdentity QR Tokens
        • 6.3.7.3. Support for Offline QR Tokens
      • 6.3.8. KeyIdentity Push Token Policies
        • 6.3.8.1. Call back Pairing URL for Activation of KeyIdentity Push Tokens
        • 6.3.8.2. Call back Challenge URL for Authentication with KeyIdentity Push Tokens
      • 6.3.9. URL for QR-TAN Tokens
      • 6.3.10. Choose SMS Provider
      • 6.3.11. SMS Provider Failover
      • 6.3.12. Automatic SMS sending
      • 6.3.13. SMS Text
      • 6.3.14. Enforce SMS Text
      • 6.3.15. SMS Dynamic Mobile Number
      • 6.3.16. Choose E-mail Provider
      • 6.3.17. Email Subject
      • 6.3.18. Email Text
      • 6.3.19. Email dynamic address
      • 6.3.20. Automatically Disable or Delete Token
        • 6.3.20.1. Disable Token
        • 6.3.20.2. Delete Token
      • 6.3.21. Voice Token Policies
        • 6.3.21.1. Choose Voice Provider
        • 6.3.21.2. Voice Message content
        • 6.3.21.3. Voice Language
        • 6.3.21.4. Voice Dynamic Mobile Number
    • 6.4. Authorization Policies
      • 6.4.1. Authorization
      • 6.4.2. Token Types
      • 6.4.3. Serials
      • 6.4.4. Setting Realms
      • 6.4.5. Returning Details on validation
    • 6.5. Enrollment Policies
      • 6.5.1. Token limits per Realm
      • 6.5.2. Token limits per user
        • 6.5.2.1. Total number of tokens per user:
        • 6.5.2.2. Number of tokens per user by type:
      • 6.5.3. Random OTP PIN
      • 6.5.4. Encrypted OTP PIN
      • 6.5.5. Token issuer
      • 6.5.6. Token labels
      • 6.5.7. Auto Assignment
      • 6.5.8. Ignore Auto Assignment Pin
      • 6.5.9. Autoassigment without Password Check
      • 6.5.10. Lost token
      • 6.5.11. Purge rollout tokens
      • 6.5.12. U2F App ID
      • 6.5.13. U2F Valid Facet
    • 6.6. Notification Policies
      • 6.6.1. Token autoenrollment with user notification
    • 6.7. Gettoken Policies
    • 6.8. OCRA Policies
    • 6.9. Reporting Policies
      • 6.9.1. Activate Reporting
        • 6.9.1.1. Total Number of Tokens
        • 6.9.1.2. Token in certain States
      • 6.9.2. Configure Access
        • 6.9.2.1. Show Token
        • 6.9.2.2. Show Maximal Number of Tokens
        • 6.9.2.3. Delete data from Reporting Database
          • 6.9.2.3.1. Delete all data
          • 6.9.2.3.2. Delete data before a certain date
    • 6.10. Selfservice policies
      • 6.10.1. OTP PIN policies
        • 6.10.1.1. Character groups
        • 6.10.1.2. Changing the character group definition
        • 6.10.1.3. Reversing the OTP PIN logic
      • 6.10.2. Retrieving OTP values
    • 6.11. System policies
    • 6.12. Users in policies
      • 6.12.1. Extensions for user field in LinOTP =>2.8.1
        • 6.12.1.1. Examples
    • 6.13. Clients in policies
    • 6.14. Policy checker
    • 6.15. Importing and exporting policies
    • 6.16. Best practice - policy example
      • 6.16.1. Administrators
      • 6.16.2. System
      • 6.16.3. Selfservice
  • 7. Audit Trail
    • 7.1. Logging Scopes
      • 7.1.1. Selfservice Portal
      • 7.1.2. Validate
      • 7.1.3. Audit Trail
      • 7.1.4. Administrative Tasks
      • 7.1.5. System configuration
      • 7.1.6. Setting License
    • 7.2. Viewing the Audit Trail
    • 7.3. Configuration
    • 7.4. Searching the Audit Trail
      • 7.4.1. Search in SQL Audit
  • 8. Challenge Response
    • 8.1. HOTP and TOTP Tokens
    • 8.2. SMS and e-mail
    • 8.3. Configure Challenge Message
    • 8.4. RADIUS
    • 8.5. Test Challenge Response
  • 9. SMS Provider for SMS OTP Tokens / Mobile TANs
    • 9.1. Overview
      • 9.1.1. Triggering SMS
      • 9.1.2. Configuration
        • 9.1.2.1. Policy to choose SMS Provider
    • 9.2. Configure SMS Provider
      • 9.2.1. Generic Options
      • 9.2.2. Overview SMS Provider modules
        • 9.2.2.1. HttpSMSProvider
        • 9.2.2.2. SmtpSMSProvider
        • 9.2.2.3. SMPPSMSProvider
        • 9.2.2.4. RestSMSProvider
        • 9.2.2.5. DeviceSMSProvider
    • 9.3. SMSProviderConfig
      • 9.3.1. HttpSMSProvider
      • 9.3.2. SmtpSMSProvider
      • 9.3.3. SMPPSMSProvider
      • 9.3.4. RestSMSProvider
      • 9.3.5. SMPPSMSProvider
      • 9.3.6. DeviceSMSProvider
  • 10. E-mail Provider for E-mail Token
    • 10.1. Overview
      • 10.1.1. Triggering challenge (e-mail)
      • 10.1.2. Configuration
        • 10.1.2.1. Policy to choose E-Mail Provider
    • 10.2. Configure E-mail Provider details
    • 10.3. E-mail ProviderConfig
      • 10.3.1. SMTPEmailProvider
  • 11. Push Provider for KeyIdentity Push Token
    • 11.1. Configuration
      • 11.1.1. Policy to Choose Push Provider
      • 11.1.2. Configure Push Provider
        • 11.1.2.1. Configuration details of the DefaultPushProvider
    • 11.2. Testing of the KeyIdentity Push Token
      • 11.2.1. Push Token via Test Page
      • 11.2.2. Test Push via API
        • 11.2.2.1. Trigger the Push Messages
        • 11.2.2.2. Check Result
  • 12. Voice Provider
    • 12.1. Configuration
      • 12.1.1. Policy to choose Voice Provider
      • 12.1.2. Configure Voice Provider
        • 12.1.2.1. Configuration details of the Voice Token Provider
    • 12.2. Testing of the Voice Token
  • 13. System Config
    • 13.1. Tab Settings
      • 13.1.1. Field Authentication
      • 13.1.2. Field Authorization
    • 13.2. Tab Caching
    • 13.3. Tab GUI settings
    • 13.4. Tab Client Identification
  • 14. Security Module
    • 14.1. PKCS11 module and SafeNet LunaSA
    • 14.2. Password handling
    • 14.3. PKCS #11 and YubiHSM Padding bug
      • 14.3.1. Technical details
  • 15. LinOTP as OpenID Provider
    • 15.1. Comfortable identity links
  • 16. Retrieving OTP values
  • 17. Selfservice Portal
    • 17.1. Managing token in self service
      • 17.1.1. Conditions for use
      • 17.1.2. Access Selfservice Portal
    • 17.2. Typical usecases for supported token in self service
      • 17.2.1. Basic actions for tokens
      • 17.2.2. Application Scenario with the KeyIdentity Push Token
        • 17.2.2.1. Customize the LinOTP configuration
        • 17.2.2.2. Testing the configuration with a Push Token
        • 17.2.2.3. Prepare Windows or Apple Clients with KeyIdentity Authentication Provider KAP
        • 17.2.2.4. Provide the KI APP on the smartphone by the user
        • 17.2.2.5. Rollout and activate the push token by the user
          • 17.2.2.5.1. Step 1 Enroll your Push Token
          • 17.2.2.5.2. Step 2 Activate your Push Token
        • 17.2.2.6. Test for KI Push Token
      • 17.2.3. Application Scenario with the KeyIdentity QR Token
        • 17.2.3.1. Customize the LinOTP configuration
        • 17.2.3.2. Prepare Windows or Apple Clients with KeyIdentity Authentication Provider KAP
        • 17.2.3.3. Provide the KI APP on the smartphone by the user
        • 17.2.3.4. Rollout and activate the keyidentity qr token by the user
          • 17.2.3.4.1. Step 1 Enroll your QR Token
          • 17.2.3.4.2. Step 2 Activate your QR Token
        • 17.2.3.5. Test for KI QR Token function with /auth/qrtoken
      • 17.2.4. Enrolling OATH Token for Google Authenticator
      • 17.2.5. Using mOTP Token
        • 17.2.5.1. Initializing the mOTP Token
        • 17.2.5.2. Registering the mOTP Token
        • 17.2.5.3. Authenticating using mOTP Token
      • 17.2.6. Disable lost token
      • 17.2.7. Change OTP PIN
      • 17.2.8. Resynchronize Token
    • 17.3. Individualize the Selfservice Portal
      • 17.3.1. Selfservice Portal Imprint
  • 18. Tools
    • 18.1. linotp-sql-janitor
    • 18.2. linotp-tokens-used
    • 18.3. linotp-backup
    • 18.4. linotp-restore
    • 18.5. linotp-convert-token
    • 18.6. linotp-convert-xml-to-csv
    • 18.7. linotp-decrypt-otpkey
    • 18.8. LinotpLDAPProxy.pm
  • 19. Backup and Restore
    • 19.1. Backup database and encryption key
    • 19.2. Backup additional resources
    • 19.3. Disaster Recovery
  • 20. Monitoring / Reporting
    • 20.1. Monitoring
      • 20.1.1. Perform Queries
      • 20.1.2. License
      • 20.1.3. Storage encryption
      • 20.1.4. Tokens
      • 20.1.5. UserIdResolver
    • 20.2. Reporting
      • 20.2.1. Prerequisites
      • 20.2.2. Perform Queries
        • 20.2.2.1. show
        • 20.2.2.2. maximum
        • 20.2.2.3. delete_all
        • 20.2.2.4. delete_before
  • 21. PCI DSS
  • 22. Usage scenarios
    • 22.1. Protection levels
  • 23. Troubleshooting
    • 23.1. LDAP/Active Directory Connection
    • 23.2. Testing the Freeradius Server
    • 23.3. RADIUS Authentication fails
    • 23.4. RADIUS server log file
    • 23.5. Access to Web API
    • 23.6. OTP Authentication
    • 23.7. LinOTP server log file
      • 23.7.1. Special logging configuration
  • 24. The linotp.ini file
    • 24.1. Auditing
      • 24.1.1. linotpAudit.type
      • 24.1.2. linotpAudit.key.private
      • 24.1.3. linotpAudit.key.public
      • 24.1.4. linotpAudit.sql.url
      • 24.1.5. linotpAudit.sql.table_prefix
      • 24.1.6. linotpAudit.sql.highwatermark
      • 24.1.7. linotpAudit.sql.lowwatermark
    • 24.2. Misc
      • 24.2.1. linotpHelp.url
      • 24.2.2. profile
      • 24.2.3. linotpGetotp.active
      • 24.2.4. linotpNoSessionCheck
      • 24.2.5. linotpSecretFile
      • 24.2.6. linotpSQL.implicit_returning
      • 24.2.7. linotpPolicy.pin_c, linotpPolicy.pin_n, linotpPolicy.pin_s
      • 24.2.8. openid_sql
      • 24.2.9. linotpOpenID.CookieExpire
      • 24.2.10. linotp.imprint_directory
      • 24.2.11. linotpTokenModules
    • 24.3. RADIUS settings
      • 24.3.1. radius.dictfile
      • 24.3.2. radius.nas_identifier
    • 24.4. Default Values
• LinOTP Installation Guide
  • 1. Supported Operating Systems
    • 1.1. Supported Database systems
  • 2. Checklist
    • 2.1. Decide which distribution you want to use
    • 2.2. Decide which token database you want to use
    • 2.3. SSL certificate
    • 2.4. LinOTP Admin
    • 2.5. User databases
    • 2.6. User tokens
    • 2.7. Authentication
    • 2.8. Location in your network
  • 3. Server installation
    • 3.1. LinOTP Virtual Appliance installation
    • 3.2. Installing from APT repositories
      • 3.2.1. Debian
      • 3.2.2. Ubuntu 12.04 / 14.04
    • 3.3. Installing on RHEL or CentOS v7 (64bit)
    • 3.4. LinOTP Server Installation – the tar.gz, virtualenv and pip way
      • 3.4.1. Setup token database
      • 3.4.2. LinOTP and the Apache web server
      • 3.4.3. Further changes for RedHat and CentOS 6
      • 3.4.4. Testing LinOTP Server installation
      • 3.4.5. Creating self signed SSL certificate
    • 3.5. LinOTP on Univention Corporate Server UCS
      • 3.5.1. App Center
      • 3.5.2. Join Scripts
    • 3.6. Configuration background information
      • 3.6.1. LinOTP Server configuration
        • 3.6.1.1. Token database
        • 3.6.1.2. Python search path
        • 3.6.1.3. RADIUS token communication
        • 3.6.1.4. Paster
          • 3.6.1.4.1. Start script
        • 3.6.1.5. Apache web server
          • 3.6.1.5.1. Apache configuration file
          • 3.6.1.5.2. Different authentication schemes for Management Interface
          • 3.6.1.5.3. Authenticating users against LDAP or Active Directory
          • 3.6.1.5.4. Issuing Certificate Authority
  • 4. Installing Authentication Modules
    • 4.1. Enabling PAM authentication with pam_linotp
      • 4.1.1. Configure pam_linotp
    • 4.2. Enabling RADIUS authentication with rlm_linotp2
      • 4.2.1. Configuring rlm_linotp2
      • 4.2.2. Activating rlm_linotp2
      • 4.2.3. Using rlm_linotp2 and SSL
      • 4.2.4. Testing rlm_linotp2
      • 4.2.5. Fail-over configuration for RADIUS
    • 4.3. Enabling RADIUS authentication with Radiator
    • 4.4. Enabling RADIUS authentication with rlm_perl
      • 4.4.1. Configuring radius_linotp.pm
      • 4.4.2. Testing rlm_perl
    • 4.5. Enable SAML Identify Provider
  • 5. Customization
    • 5.1. Templates
    • 5.2. Style Sheets
    • 5.3. Changing the Logo
  • 6. Database connection
    • 6.1. Running LinOTP with DB2 on RedHat
      • 6.1.1. Overview
      • 6.1.2. Installation
        • 6.1.2.1. Install unixODBC
        • 6.1.2.2. Install pyODBC
        • 6.1.2.3. Install ibm_db_sa
        • 6.1.2.4. Install LinOTP
      • 6.1.3. Configuration
        • 6.1.3.1. LinOTP
        • 6.1.3.2. ODBC
        • 6.1.3.3. DB2
        • 6.1.3.4. Create the database tables
    • 6.2. Running LinOTP with Oracle on RedHat
      • 6.2.1. Overview
      • 6.2.2. Installation
        • 6.2.2.1. Install cx_Oracle python module
        • 6.2.2.2. Install LinOTP
      • 6.2.3. Configuration
        • 6.2.3.1. LinOTP
        • 6.2.3.2. Create the database tables
    • 6.3. Configure a redundant MySQL database with master-master-replication
      • 6.3.1. Introduction
      • 6.3.2. Replication user
      • 6.3.3. Configure replication
      • 6.3.4. Setup slaves
      • 6.3.5. Synching the machines
      • 6.3.6. Activate the Replication Mode in LinOTP
    • 6.4. Special parameters for database connections
      • 6.4.1. Pool recyle
      • 6.4.2. Implicit returning
  • 7. Security Modules
    • 7.1. Defining Security Modules
    • 7.2. Defining SafeNet LunaSA
      • 7.2.1. Partition Password
    • 7.3. Setting up SafeNet LunaSA
      • 7.3.1. Requirements
      • 7.3.2. Network settings
      • 7.3.3. LunaSA server certificate
      • 7.3.4. Initialization of HSM
        • 7.3.4.1. Create HSM Admin PED Key
        • 7.3.4.2. Create Domain PED Key
        • 7.3.4.3. HSM security polices
        • 7.3.4.4. Create HSM Partitions
        • 7.3.4.5. Partition policies
        • 7.3.4.6. Activate Partitions
      • 7.3.5. Setting up HSM clients and assigning clients to HSM partitions
      • 7.3.6. Troubleshooting
    • 7.4. Create AES Keys
    • 7.5. Backup and restore with LunaSA
      • 7.5.1. Backup
      • 7.5.2. Restore
    • 7.6. Setting up HA and Load balancing for LunaSA
      • 7.6.1. Register LinOTP
      • 7.6.2. Creating HA group
      • 7.6.3. Monitoring
        • 7.6.3.1. Restore an HA group
    • 7.7. Managing Passwords with LunaSA
      • 7.7.1. Changing admin Password
      • 7.7.2. Changing HSM PED Password
      • 7.7.3. Changing Partition Passwords
      • 7.7.4. Resetting Partition Passwords
  • 8. Integration examples
    • 8.1. OTP Authentication with an Apache web server
      • 8.1.1. Download
      • 8.1.2. Compile
      • 8.1.3. Configuration
    • 8.2. Firewall integration
    • 8.3. Authentication with third party OTP solutions
      • 8.3.1. Configure FreeRADIUS LDAP
      • 8.3.2. Configure FreeRADIUS proxy
      • 8.3.3. Configure proxy decision
    • 8.4. Restrict access to certain devices to certain users
      • 8.4.1. Install LDAP FreeRADIUS module
      • 8.4.2. Adapt the configuration
      • 8.4.3. modules/ldap
      • 8.4.4. clients.conf
      • 8.4.5. policy.conf
      • 8.4.6. site-enabled/linotp
    • 8.5. Map certain RADIUS clients to specific LinOTP realms
      • 8.5.1. Example Data
      • 8.5.2. Configuration
      • 8.5.3. Define two client networks
      • 8.5.4. Define the mapping policy
      • 8.5.5. Add the shortname to the request
      • 8.5.6. Activate policy during authentication
    • 8.6. Authenticating RADIUS clients that pass the ntdomain
    • 8.7. LinOTP and MIT Kerberos
      • 8.7.1. Setting up OTP with Kerberos
      • 8.7.2. Setting up FAST
    • 8.8. Deny access for disabled users in Active Directory
    • 8.9. Use LDAPs in UserIdResolvers
  • 9. Updates
    • 9.1. Updating from LinOTP 2.6.1.1 to LinOTP 2.7
      • 9.1.1. Updating a deb install
      • 9.1.2. Updating a pip install
      • 9.1.3. Changelog
    • 9.2. Updating from LinOTP 2.6.1 to LinOTP 2.6.1.1
      • 9.2.1. Updating a deb install
      • 9.2.2. Updating a pip install
      • 9.2.3. Changelog
    • 9.3. Updating from LinOTP 2.6.0.3 to LinOTP 2.6.1
      • 9.3.1. Updating a deb install
      • 9.3.2. Updating a pip install
      • 9.3.3. Changelog
    • 9.4. Updating from LinOTP 2.6 to LinOTP 2.6.0.3
      • 9.4.1. Updating a deb install
      • 9.4.2. Updating a pip install
      • 9.4.3. Changelog
    • 9.5. Updating from LinOTP 2.6 to LinOTP 2.6.0.1
      • 9.5.1. Updating a deb install
      • 9.5.2. Updating a pip install
      • 9.5.3. Changelog
    • 9.6. Updating from LinOTP 2.5.2 to LinOTP 2.6
      • 9.6.1. Updating a deb install
      • 9.6.2. Updating a pip install
      • 9.6.3. Changelog
    • 9.7. Updating from LinOTP 2.5.1 to LinOTP 2.5.2
      • 9.7.1. Updating a deb install
      • 9.7.2. Updating a pip install
      • 9.7.3. Changelog
    • 9.8. Updating from LinOTP 2.5.0 to LinOTP 2.5.1
      • 9.8.1. Updating a deb install
      • 9.8.2. Updating a pip install
      • 9.8.3. Changelog
    • 9.9. Updating from LinOTP 2.4.4 to LinOTP 2.5.0
      • 9.9.1. Updating a deb install
      • 9.9.2. Updating a pip install
      • 9.9.3. Changelog
  • 10. Migrating from LinOTP 1.3 or LinOTP 1.0
  • 11. Security advisories
    • 11.1. Locked Users
    • 11.2. UserIdResolver
  • 12. Troubleshooting
    • 12.1. Connecting to userstores
    • 12.2. Distribution not Found: LinOTP2
    • 12.3. SQLAlchemy error
    • 12.4. Access denied for user root@localhost
• LinOTP Appliance Manual
  • 1. Offline Installation
    • 1.1. Introduction
    • 1.2. Offline Installation of the Virtual Appliance
  • 2. Online Installation
    • 2.1. Introduction
    • 2.2. Online Installation of the Virtual Appliance
  • 3. Quick Start Guide
    • 3.1. Introduction
      • 3.1.1. Licensing
      • 3.1.2. Documentation, Support & Notes
    • 3.2. Part 1: Setup the LinOTP Smart Virtual Appliance
    • 3.3. Configuration - Quick Start
      • 3.3.1. License Agreement
      • 3.3.2. Registration of your Enterprise Support and Subscription license
      • 3.3.3. Basic Network Configuration
      • 3.3.4. Setting the Time and Date
      • 3.3.5. User Roles and Passwords
      • 3.3.6. Definition of the RADIUS Clients
      • 3.3.7. Key Generation and Database Passwords
    • 3.4. Part 2: Importing License Files, Connecting to the User Directory, Rollout of Tokens
      • 3.4.1. Open the LinOTP Management Interface
      • 3.4.2. Creating User ID Resolvers
      • 3.4.3. Creating Realms
      • 3.4.4. Token
        • 3.4.4.1. Hardware Token
        • 3.4.4.2. Soft Token
      • 3.4.5. Assigning Tokens
      • 3.4.6. Setting the Token PIN
      • 3.4.7. Practical Test
      • 3.4.8. Use Information and Notes
        • 3.4.8.1. Backup and Software Update
        • 3.4.8.2. Important URLs and Administrator Roles
        • 3.4.8.3. HA Mode
    • 3.5. Appendix: Practical Tips and Legal Notes
      • 3.5.1. License Conditions
      • 3.5.2. Support Addresses
      • 3.5.3. About KeyIdentity
  • 4. The Appliance Dashboard
  • 5. Configuring network settings
  • 6. Managing LinOTP token administrators
  • 7. LinOTP debug logging
  • 8. Configuring the RADIUS access to the LinOTP appliance
    • 8.1. Detailed settings
      • 8.1.1. Realm mapping
      • 8.1.2. Windows domain stripping
  • 9. Working with configuration sets
  • 10. Root user and appadmin user
  • 11. Change the server SSL certificate
    • 11.1. New self-signed certificate
    • 11.2. Create Certificate Request – Externally signed Certificate
  • 12. Advanced settings
  • 13. Redundant setup
    • 13.1. Setup redundancy
    • 13.2. Known Errors
    • 13.3. Reverting Redundancy
    • 13.4. Repair an out of sync redundant setup
  • 14. The support file
  • 15. Updates
    • 15.1. Automatic Scheduled Updates
    • 15.2. Manual Updates
    • 15.3. Update the Appliance from offline installer ISO
  • 16. Backup and restore
    • 16.1. Manual Backup
    • 16.2. Automatic Backup
      • 16.2.1. Details
    • 16.3. Restore Settings and Data
  • 17. Disaster recovery
    • 17.1. Create and install a new Appliance
    • 17.2. Basic configuration of the new Appliance
    • 17.3. Restore the backup
    • 17.4. Check the new LinOTP Appliance
  • 18. Appliance uprade to Version 2.3
    • 18.1. Backup old Appliance
    • 18.2. Create and install a new Appliance
    • 18.3. Basic configuration of the new LinOTP Appliance
    • 18.4. Restore LinOTP Appliance Configuration
    • 18.5. Restoring the redundancy
    • 18.6. Check the new LinOTP Appliance
  • 19. Network integration
• LinOTP Development Guide
  • 1. Authentication interfaces
    • 1.1. Validate Controller
      • 1.1.1. Authentication workflow
      • 1.1.2. Authentication via “validate” controller with “check” action
    • 1.2. OCRA Controller
    • 1.3. Example for authentication integration
      • 1.3.1. Python integration
      • 1.3.2. C# integration
      • 1.3.3. Java integration
      • 1.3.4. Java Script integration for server side implementation
      • 1.3.5. C integration
      • 1.3.6. PHP integration
  • 2. Administrative Interfaces
    • 2.1. Admin Interface
      • 2.1.1. Orphanced tokens
    • 2.2. Admin Controller
    • 2.3. System Controller
    • 2.4. Session parameter
      • 2.4.1. Accessing the API with your Browser
      • 2.4.2. Programatically calling the API
      • 2.4.3. Technical background
      • 2.4.4. Disabling the session parameter
  • 3. Tokens
    • 3.1. The GUI file
      • 3.1.1. The scope config
      • 3.1.2. The scope enroll
      • 3.1.3. The scope selfservice
    • 3.2. The token file
      • 3.2.1. Challenge Response
      • 3.2.2. Base TokenClass
  • 4. UserIdResolver Modules
  • 5. Monitoring Interface
    • 5.1. Session parameter
      • 5.1.1. Accessing the API with your Browser
    • 5.2. Examples
      • 5.2.1. Tokens
      • 5.2.2. User information
      • 5.2.3. License
      • 5.2.4. Configuration
      • 5.2.5. Encryption
  • 6. Licenses
    • 6.1. AGPLv3

Indices and tables

• Index

• Search Page

• Module Index