10. Updates¶
Warning
Before updating, please assure, that you have a backup of your encryption key and also of your database. Having a backup of your linotp.ini file is also a good idea!
10.1. Updating from LinOTP 2.6.1.1 to LinOTP 2.7¶
LinOTP 2.7 is a major release that contains some big package structure changes.
In our effort to be completely open source we have removed our EE (Enterprise Edition) packages and merged them into the old CE (Community Edition) packages leaving you with packages that contain all the features. The CE/EE terminology is obsolete.
If you had previously edited your linotp.ini to activate the audit trail please update the file and replace:
linotpAudit.type = linotpee.lib.Audit.SQLAudit
with:
linotpAudit.type = linotp.lib.audit.SQLAudit
10.1.1. Updating a deb install¶
If you are updating from one of our repositories simply:
apt-get update && apt-get upgrade
If you previously had a LinOTP Community Edition you may want to additionally install the linotp-smsprovider package:
apt-get install linotp-smsprovider
If you are installing via dpkg you have to remove the obsolete packages first:
apt-get remove linotp-ee linotp-useridresolver-ee
dpkg -i linotp linotp-useridresolver linotp-smsprovider
The LinOTP Admin clients have been renamed:
- linotp-adminclient-ce is now called linotp-adminclient-cli
- linotp-adminclient-ee is now called linotp-adminclient-gui
Install them like this:
sudo apt-get install linotp-adminclient-gui linotp-adminclient-cli
10.1.2. Updating a pip install¶
Before upgrading to LinOTP 2.7 you need to remove the obsolete EE packages:
pip uninstall LinOTP-EE LinOtpUserIdResolverEE
Issue the following command to update your pip installation (LinOTP Server Installation – the tar.gz, virtualenv and pip way):
pip install --upgrade LinOTP LinOtpUserIdResolver SMSProvider
After this you need to restart your LinOTP webserver.
To upgrade the LinOTP Admin clients you have to remove the obsolete packages first:
pip uninstall LinOTPAdminClientCE LinOTPAdminClientEE
pip install LinOTPAdminClientCLI LinOTPAdminClientGUI
10.1.3. Changelog¶
LinOTP core
- Integrated linotp-ee package into this package, adding:
- Support for SQL Audit
- Tools such as: linotp-decrypt-otpkey, linotp-tokens-used, linotp-backup, linotp-restore, etc.
- Support for HSM
- eTokenDat, PSKC, DPWplain and vasco token import
- Fixed broken custom-template handling (#12555)
- Fixed some corner cases of JSON and CSV audit output (#12550, #12556)
- Fixed erroneous QR-Code generation
- Pinned WebOb version to < 1.4 due to incompatibility with Pylons (#12586)
- WebUI: Moved ‘License’ menu entry to ‘Help/Support’
- WebUI: Added ‘Help/About’ dialog
- WebUI: Cleaned up a little and exchanged the LinOTP logos
Documentation
- Adapted to new package structure (linotp and linotp-ee as well as linotp-useridresolver and linotp-useridresolver-ee have been integrated into a single package)
- Fixed warnings and made general corrections
- Exchanged LinOTP logo
LinOTP admin client
- Renamed package from linotp-adminclient-ce to linotp-adminclient-cli
- Renamed package from linotp-adminclient-ee to linotp-adminclient-gui
- Exchanged LinOTP logo
- Removed M2Crypto dependency, since license verification is done on the server
UserIdResolver
- Integrated linotp-useridresolver-ee package into this package, adding support for:
- LDAP and AD UserIdResolvers
- SQL UserIdResolvers
10.2. Updating from LinOTP 2.6.1 to LinOTP 2.6.1.1¶
LinOTP 2.6.1.1 is a patch release for LinOTP 2.6.1
SMSProvider 2.6.1.1 has one new dependency:
- socksipy, either contained in httplib2 >= 0.7 or from its own package.
10.2.1. Updating a deb install¶
Install the necessary dependencies:
apt-get install python-socksipy
Unfortunately on Debian and Ubuntu you are forced to install the python-socksipy package because Debian Squeeze does not support python-httplib2 >= 0.7 and therefore requires python-socksipy.
If you have downloaded all packages you need to issue the following command:
dpkg -i linotp_2.6.1.1-1_all.deb \
linotp-smsprovider_2.6.1.1-1_all.deb \
libpam-linotp_2.6.1.1-1_all.deb
10.2.2. Updating a pip install¶
Issue the following command to update your pip installation (LinOTP Server Installation – the tar.gz, virtualenv and pip way):
pip install --upgrade linotp pam_py_linotp
A SMSProvider pip installation will need following additional python package:
- httplib2 >= 0.7 or socksipy.
To upgrade the enterprise edition components you need to download the latest version from the customer portal and issue the commands:
pip install --upgrade /path/to/SMSProvider-2.6.1.1.tar.gz
After this you need to restart your LinOTP webserver.
10.2.3. Changelog¶
LinOTP core
- Fixed Yubikey token so it supports LinOTP/RADIUS challenge-response
- Removed ‘const’ JS variable that broke IE9
- Added Yubikey public ID to token description when importing CSV file (#12417)
- Fixed erroneous active-token-count in WebUI (#12523)
SMS Provider
- Fixed HTTPSMSProvider on Debian Squeeze with httplib2 0.6 (#12510)
PAM LinOTP
- Fix build of binary package on Launchpad
PAM Python LinOTP
- Fixed package build
10.3. Updating from LinOTP 2.6.0.3 to LinOTP 2.6.1¶
LinOTP 2.6.1 has two new dependencies:
- python-migrate for additional client information in the Audit trail and
- python-httplib2.
10.3.1. Updating a deb install¶
Install the necessary dependencies:
apt-get install python-migrate python-httplib
Download all necessary LinOTP packages and issue the following command:
dpgk -i linotp_2.6.1-1_all.deb \
linotp-ee_2.6.1-1_all.deb \
linotp-useridresolver_2.6.1-1_all.deb \
linotp-useridresolver-ee_2.6.1-1_all.deb \
linotp-smsprovider_2.6.1-1_all.deb
10.3.2. Updating a pip install¶
A pip installation will need following additional python packages:
- httplib2,
- sqlalchemy-migrate.
These should be installed automatically when issuing the commands:
pip install --upgrade linotp
pip install /path/to/LinOtpUserIdResolverEE-2.6.1.tar.gz
pip install /path/to/LinOtpUserIdResolver-2.6.1.tar.gz
pip install /path/to/SMSProvider-2.6.1.tar.gz
Check with:
pip freeze
10.3.3. Changelog¶
LinOTP core
- Added support for BasicAuthentication to HttpSMSProvider
- Prevent resolver creation with same name (and different case)
- Improved /auth/index forms and deprecated /auth/requestsms
- Improve entropy by using /dev/urandom (#12243)
- Added streaming output to audit/search JSON and CSV (#12392)
- Made wildcard search in SQL Resolver more precise (#12135)
- Small graphical WebUI fixes (#12229)
- Added possibility to change the phone number of SMS token (#2953)
- Require * for wildcard token search (#2838)
- Removed PIL as a hard dependency (you may use pillow-pil) (#12409)
- Only enable apache site on first installation (not upgrade) (#12246, #12457)
- Supress error during installation if no ‘lse_release’ exists #(12237)
- Shorten UserIdResolver display string in UserView (#2678)
- Added python-httplib2 dependency
- Added challenge-response and http-POST to remote token (#12433, #12451)
- Added challenge-response to RADIUS token (#12432)
- Added client information to audit log (#12417)
- Enable ‘Enter’ key in auth/index forms (#12103, #12446)
- Allow SmtpSMSProvider to raise exceptions (#12419)
- Several challenge-response error handling fixes (#12416, #12420, #12427)
- Several OpenID fixes (#12415, #12428, #12265, #12190, #12264)
- Fix hostname/port FQDN splitting (#12410)
- Added man page for linotp-auth-radius
- Removed obsolete log warnings and errors (#12396, #12443)
- Prevent challenges from being sent when multiple tokens match (#12413)
- Fixed check_yubikey so that it supports two slots (#12477)
- Enabled realm assignment during Yubikey enrollment
- Added autoassignment for Yubikeys
- Added new policy ‘ignore_autoassignment_pin’
- Removed newlines in token CSV export (#12465)
LinOTP EE
- Solved some SQLAlchemy unicode warnings
- Added streaming output to audit/search JSON and CSV (#12392)
- Removed deprecated FileAudit (use SQLAudit instead) (#12434)
- Added client information to audit log (#12417)
- Improved help message of linotp-sql-janitor tool
UserIdResolver
- Made wildcard search in SQL Resolver more precise (#12135)
- Fix LDAP Resolver error that occurs during checkstatus (#12442)
LinOTP admin client
- Added dependency for python-usb
- Enabled realm assignment during Yubikey enrollment
- Added client information to audit log (#12417)
Documentation
- Removed FileAudit documentation since FileAudit is deprecated (#12434)
- Documented additional PasswdResolver fields (e-mail, telephone) (#12418)
- Added Howtos from website to documentation (#12430)
- Documented new OpenID storage database options (#12415)
- Updated package dependencies (#12395, #12452, #12409)
- Documented new policy ‘ignore_autoassignment_pin’
libpam LinOTP
- Remove user check in libpam-linotp since the existence of the user is not a prerequisite (VPN, automount) (#12429)
SMSProvider
- Allow SmtpSMSProvider to raise exceptions (#12419)
10.4. Updating from LinOTP 2.6 to LinOTP 2.6.0.3¶
LinOTP 2.6.0.3 is a patch release for LinOTP 2.6 and 2.6.0.x.
10.4.1. Updating a deb install¶
If you have downloaded all packages you need to issue the following command:
dpkg -i linotp_2.6.0.3-1_all.deb \
linotp-useridresolver-ee_2.6.0.3-1_all.deb
10.4.2. Updating a pip install¶
Issue the following command to update your pip installation (LinOTP Server Installation – the tar.gz, virtualenv and pip way):
pip install --upgrade linotp
Then upgrade the enterprise edition components. You need to download the latest version from the customer portal and issue the commands:
pip install --upgrade /path/to/LinOtpUserIdResolverEE-2.6.0.3.tar.gz
After this you need to restart your LinOTP webserver.
10.4.3. Changelog¶
LinOTP core
- Fix problem with LDAPS connection (#12431)
- Catch token exceptions to prevent errors when processing several tokens (#12416)
UserIdResolver
- Fix error that prevented LDAP Resolver from unbinding (#12423)
10.5. Updating from LinOTP 2.6 to LinOTP 2.6.0.1¶
LinOTP 2.6.0.1 is a patch release for LinOTP 2.6.
10.5.1. Updating a deb install¶
If you have downloaded all packages you need to issue the following command:
dpkg -i linotp_2.6.0.1-1_all.deb \
linotp-useridresolver_2.6.0.1-1_all.deb \
linotp-useridresolver-ee_2.6.0.1-1_all.deb \
10.5.2. Updating a pip install¶
Issue the following command to update your pip installation (LinOTP Server Installation – the tar.gz, virtualenv and pip way):
pip install --upgrade linotp
Then upgrade the enterprise edition components. You need to download the latest version from the customer portal and issue the commands:
pip install --upgrade /path/to/LinOtpUserIdResolverEE-2.6.0.1.tar.gz
After this you need to restart your LinOTP webserver.
10.5.3. Changelog¶
LinOTP core
- Added radius client testing tool “linotp-auth-radius”, which supports challenge response
- Fix the otppin=2 (no pin) problems with email and totptoken (#12399 #12398)
- Fix for email token to support otppin=2 (closes #12398)
- Fix ‘Logout’ button (closes #12371)
UserIdResolver
- Bind the resolvers object to the request for performance. closes #12372
- Improved sqlresolver checkpass to also support {sha} and {ssha} passwords.
Command line client
- Added automation, send token list via email or upload to windows share (#12390)
10.6. Updating from LinOTP 2.5.2 to LinOTP 2.6¶
LinOTP 2.6 introduces a common challenge response mechanism. For this a new table “challenges” was added to the database model.
10.6.1. Updating a deb install¶
If you have downloaded all packages, you need to issue the following command:
dpkg -i linotp_2.6-1_all.deb \
linotp-ee_2.6-1_all.deb \
linotp-useridresolver_2.6-1_all.deb \
linotp-useridresolver-ee_2.6-1_all.deb \
linotp-doc_2.6-1_all.deb \
linotp-smsprovider_2.6-1_all.deb
Note
If you want to use the new challenge response mechanism with your RADIUS clients, you also need to update the FreeRADIUS packages.
10.6.2. Updating a pip install¶
Issue the following command to update your pip installation (LinOTP Server Installation – the tar.gz, virtualenv and pip way):
pip install --upgrade linotp
Then upgrade the enterprise edition components. You need to download the latest version from the customer portal and issue the commands:
pip install --upgrade /path/to/LinOTP-EE-2.6.tar.gz
pip install --upgrade /path/to/LinOtpUserIdResolverEE-2.6.tar.gz
pip install --upgrade /path/to/LinOtpDoc-2.6.tar.gz
pip install --upgrade /path/to/Smsprovider-2.6.tar.gz
To create the new table “challenges” run:
paster setup-app <your-path-to>/etc/linotp2/linotp.ini
After this you need to restart your LinOTP webserver.
10.6.3. Changelog¶
- Added Challenge Response functionality for all tokens.
- Added Challenge Response Policy (#12234)
- Searching for tokens in the WebUI now uses wildcards. To find “benjamin” you will have to search for “ben*”. “ben” will return nothing.
- Added UserPassOnNoToken Policy (#12145)
- Export token list to csv (#2963)
- Add additional user attributes in the token list api (#12187)
- Export audit list to csv (#2963)
- Added /auth/index3 with 3 lines (#12138)
- Use Yubikey with prefix like the serial number (#12039)
- Enroll Yubikey with Challenge Response and Yubikey NEO (#12186)
- SMS-Token: The mobile number can now be used in the mailto field (#12151)
- Add non-blocking behaviour when sending SMS OTP (#2986)
- The token description can be set in the WebUI (#12163)
- The Resolver dialog now start the realm dialog if no realm is defined (#12160)
- The yubikey in Yubivo mode (with 44 characters output) is supported (#2989)
- Import Yubico CSV in Yubico mode for Yubikeys, that were generated with the Yubico personalization tool (#12326)
- The token type list is sorted when enrolling in the management WebUI (#12231)
- The authorize policies can contain regular expressions for the token serial number (#12197)
- Added script ‘linotp-token-usage’ for token statistics (#12299)
- Added severals cripts for simpler installation and maintenance: linotp-create-certificate, linotp-create-enckey, linotp-create-auditkeys, linotp-fix-access-rights (#2883)
- /validate/check can return addition token details of the authenticated token. Configured by the policy ‘detail_on_success’ (#2661)
- Support for eToken dat file import (#12124)
- Policies can now be deactivated and activated (#2903)
- Added new token type E-mail token, that sends OTP via smtp (#2704, #12332)
- Improve pam_linotp for build process and challenge response support (#12176)
- Using POST instead of GET requests in selfservice UI (#12161)
- Improved the HTML online help, to be available online from linotp.org or installed on the server
- Removed several misleading error messages during installation
- Improved several error messages
- rlm_linotp now also builds on Ubuntu 12.04 (#12154)
- Improved the certificate handling for the LDAP resolver (#12089)
- Improved the performance when loading many users in the WebUI (#12076)
- Fixed a padding problem in the OCRA token (#12202)
- Fixed the logout link in the management Web UI (#12022)
- Fixed SMS token without serial number (#12322)
- Fixed the signature checking in the SQL audit module (#12267, #2700)
- Fixed apache config to use secure cookies (#12148)
10.7. Updating from LinOTP 2.5.1 to LinOTP 2.5.2¶
10.7.1. Updating a deb install¶
With version 2.5.2 the naming of some packages changed:
old name in version 2.5.1 | new name in version 2.5.2 |
---|---|
linotpuseridresolver | linotp-useridresolver |
linotpuseridresolveree | linotp-useridresolver-ee |
linotpdoc | linotp-doc |
smsprovider | linotp-smsprovider |
Transition packages with the old names are used to perform the update.
You need to issue the following command:
dpkg -i linotpuseridresolver_2.5.2-1_all.deb \
linotpuseridresolveree_2.5.2-1_all.deb \
linotpdoc_2.5.2-1_all.deb \
smsprovider_2.5.2-1_all.deb \
linotp_2.5.2-1_all.deb \
linotp-ee_2.5.2-1_all.deb \
linotp-useridresolver_2.5.2-1_all.deb \
linotp-useridresolver-ee_2.5.2-1_all.deb \
linotp-doc_2.5.2-1_all.deb \
linotp-smsprovider_2.5.2-1_all.deb
Afterwards you can remove the old packages:
dpkg -r linotpdoc linotpuseridresolver linotpuseridresolveree smsprovider
10.7.2. Updating a pip install¶
Issue the following command to update your pip installation (LinOTP Server Installation – the tar.gz, virtualenv and pip way):
pip install --upgrade linotp
Then upgrade the enterprise edition components. You need to download the latest version from the customer portal and issue the commands:
pip install --upgrade /path/to/LinOTP-EE-2.5.2.tar.gz
pip install --upgrade /path/to/LinOtpUserIdResolverEE-2.5.2.tar.gz
pip install --upgrade /path/to/LinOtpDoc-2.5.2.tar.gz
pip install --upgrade /path/to/Smsprovider-2.5.2.tar.gz
10.7.3. Changelog¶
Dokumentation
- Added documentation for MS SQL server support.
- Added howto for forwarding RADIUS request depending on LDAP group membership.
- Added Yubikey documentation for Yubikey NANO.
LinOTP Server
- Added dynamic token modules. All tokens can now be loaded dynamically.
- Added policy import and export.
- Added possibility to display action history in selfservice.
- Added new Token: Yubikey in orignial yubikey mode (44 characters) to authenticate with the yubico online cloud service.
- Added a script (linotp-pip-update) to update a pip installation.
- Added authentication to ocra controller.
- Added the possibility to give the CA certificate with the LDAP Resolver when using LDAPS.
- Added univention UCS / LinOTP documentation.
- Added users and resolvers to policies in selfservice, authentication, enrollment and authorization.
- Added a policy checker to the WebUI.
- Assign Token by OTP value in selfservice.
- Implemented additional API to to a get_serial_by_otp in selfservice.
- Improved policies: exclude clients.
- Improved PSKC import to import OCRA suite.
- Increase font size (style italic) to make it easier to assign a token to a user.
- Limit size of realm and resolver dialogs. If hundret resolvers or realms are defined, the dialog is too big.
- Make the cookie a secure cookie, means it must be transferred via SSL
- Performance fix - reduce userid lookup.
- Add poissibility to set maximum auth count and validity period.
- The mobile number (instead of phone) will now be used in selfservice for SMS token.
- closed: More detailed information when the SMS is sent via /validate/check of /validate/smspin.
- closed: The preset of the mobile number for an SMS token is now contained in the token.mako file.
- closed: The user was not able to authenticate to selfservice.
- closed: Deprecation Information about searching tokens.
- closed: Use SecureFormatter in linotp.ini.
- closed: The sms text from the policy is used to send the SMS.
- closed: We require python 2.6.
- closed: Make sure that genkey is in defined range.
- Renamed the webprovissionOCRA to activateQR.
- Reverted to the timeStepping=30 for the setup.
- fixed: Correct audit entry, when the userpassword (otppin=1) is wrong.
- fixed: Added a search button to flexigrid.
- fixed: Added SecureFormatter to be able to remove non printable characters from the log args
- fixed: The audit trail does not show entries with sqlalchemy 0.8.0
- fixed: The setting of the OCRA PIN does not work in the WebUI.
- fixed: Return space instead of empty string in case of MS SQL server
- fixed: Problems with redundant MS SQL server.
- fixed: Problem, that an admin was not able to view the users in the realm he has rights to.
- fixed: The broken FileAudit module.
- fixed: The possiblity to do cross site scripting in the doc controller. (serve documentation statically)
- fixed: Problems in token search.
- fixed: User enumeration with validate/smsping.
- fixed: Tokeniterator exact user match.
- fixed: Permissions for SSL privkey and who.ini.
- fixed: The system settings (WebUI) are not stored, if data on another tab is missing.
- fixed: OCRA bug for missing leading zeros - truncation to last digit.
GTK Client
- The Yubikey can now be enrolled with GTK client based on python 2.7.
- Modified the GTK client this way, that the realm filter is always available.
- Added the possibility to give the CA certificate with the LDAP Resolver.
- Added import of policies to GTK client.
- Added the possiblity to export the policies to a file.
- Audit log now shows the last entry first.
- Added eToken enrollment command line tools.
- Fixed missing dependency for configobj.
- Fixed the jumping of the filter cursor.
- Fixed display of policy in GTK client.
10.8. Updating from LinOTP 2.5.0 to LinOTP 2.5.1¶
10.8.1. Updating a deb install¶
Issue the command:
dpkg -i linotp_2.5.1_all.deb linotp-ee_2.5.1_all.deb linotpuseridresolveree_2.5.1_all.deb \
linotpdoc_2.5.1_all.deb python-qrcode_2.4.2_all.deb
10.8.2. Updating a pip install¶
Warning
Before updating a pip installation you very much need to backup your files in /etc/linotp2! The pip installing logic is not that sophisticated, it might overwrite existing config files. So please backup at least: /etc/linotp2/linotp.ini and /etc/linotp2/encKey!
If you have installed LinOTP using pip as described in LinOTP Server Installation – the tar.gz, virtualenv and pip way, you first can upgrade the main server components via the internet to the latest version:
pip install -–upgrade linotp
Then upgrade the enterprise edition components. You need to download the newer version the customers portal:
pip install qrcode
pip install –-upgrade /path/to/packages/LinOTP-EE-2.5.1.tar.gz
pip install –-upgrade /path/to/packages/LinOtpUserIdResolverEE-2.5.1.tar.gz
pip install –-upgrade /path/to/packages/LinOtpDoc-2.5.1.tar.gz
10.8.3. Changelog¶
LinOTP Server
- added QR-Code enrollment in management web UI and selfservice portal
- added QR-Code image to reply
- added HTML documentation for LinOTP Web UI
- added import OCRA seeds via CSV
- added possibility to send 500er HTTP error instead of status:false
- added alert-box (pop under)
- added support for AD uidType DN, objectGUID and sAMAccountName
- added man pages for command line tools
- improved python PIP installation
- improved performance with dynamic token classes
- define the contents of the lost password token (#806)
- only active tokens are counted for the licensing (#810)
- using sqlalchemy for where clauses in SQLResolver
- fixed translation
- fixed broken totp resync
- fixed empty password are neglected ldap_simple bind
- fixed connection close() in checkMapping()
10.9. Updating from LinOTP 2.4.4 to LinOTP 2.5.0¶
10.9.1. Updating a deb install¶
Before updating, please assure, that you have a backup of your encryption key and also of your token database.
Issue the command:
dpkg -i linotp_2.5.0-8_all.deb linotp-ee_2.5.0_all.deb linotpuseridresolveree_2.5.0-2_all.deb
If you want to use OCRA functionality you also need to update your database. You can do this by issuing the command:
paster setup-app /etc/linotp2/linotp.ini
After this please check the access rights of your logfiles in /var/log/linotp/.
10.9.2. Updating a pip install¶
Warning
Before updating a pip installation you very much need to backup your files in /etc/linotp2! The pip installing logic is not that sophisticated, it might overwrite existing config files. So please backup at least: /etc/linotp2/linotp.ini and /etc/linotp2/encKey!
If you have installed LinOTP using pip as described in LinOTP Server Installation – the tar.gz, virtualenv and pip way, you first can upgrade the main server components via the internet to the latest version:
pip install –-upgrade linotp
Then upgrade the enterprise edition components. You need to download the newer version the customers portal:
pip install –-upgrade /path/to/packages/LinOTP-EE-2.5.0.tar.gz
pip install –-upgrade /path/to/packages/LinOtpUserIdResolverEE-2.5.0-2.tar.gz
10.9.3. Changelog¶
LinOTP Server
- Added OCRA token and QR-TAN functionality.
- Make TOTP token honor DefaultOTPLength configuration.
- Fixed bug, where a previous OTP value could be used again.
- Added support for DB2 Token database.
- Added framework of security modules to support HSMs to store the encryption keys.
- Added TOTP Google authenticator to self service .
- Improved SQLuserIdResolver (Performance).
- Improved LDAPResolver (entryUUID or ObjectGUID).
- Added passthru policy to authenticate users without token.
- Added client IPs to policies.
- Selfservice: added reset of failcounter.