To provision an eDirectory user for an HOTP-based authentication, do the following configuration settings according to the RFC 4226 standard.
Enable HOTP on the user/container/partition root/Login Policy object in the same order of precedence.
Set the HOTP-shared secret key and counter on the user. These two settings together determine the HOTP value.
Configure the number of digits in HOTP values on the user/ container/partition root/Login Policy object.The valid range of digits is from 6 to 9.
Set the resynchronization windows as follows:
Set the tree-wide resynchronization window at the Login Policy object.
Set the user-specific resynchronization window at the user level. This is needed only when the client and server are out of sync.
To execute the nmashotpconf utility, perform the following steps:
Specify the directory where you unzipped the NMAS HOTP utility.
The unzipped file contains the linux and linux_x64 directories for the 32-bit and 64-bit Linux machines.
The linux and linux_x64 directories contain the nmashotpconf executable and libnmasext.so files.
Go to the linux/final directory on a Linux 32-bit machine, else go to the linux_x64/final directory on a Linux 64-bit machine.
Download the trusted root certificate and store it locally.
Refer to the Exporting a Trusted Root or Public Key Certificate
section in the Novell Certificate Server 3.3 Administration Guide.
For example,
nmashotpconf -h <host_name> [-p <ssl_port>] -D <login_dn> [-w <password>] -e <trusted_cert> -t <cert_type> [-r <resync_window>] [-y <user_resync_window>] [-u <hotp_dn> [-o <hotp_options>] [-d digits] [-c <counter>] [-s <secret> -f <secret_format>]]
Option |
Description |
---|---|
|
Specifies the LDAP server name or the IP address of the server. |
|
Specifies the SSL port on the LDAP server. The default value is 636. |
|
Specifies the DN for the user. |
|
Specifies the password for the user DN. |
|
Specifies the trusted root certificate file. |
|
Specifies the trusted root certificate encoding type. For example, DER means der-encoded file, and B64 means b64-encoded file. |
|
Specifies the number of digits used as the HOTP value. NOTE:This setting is applicable to all the users in the tree. |
|
Specifies the counter re-synchronization look-ahead window. |
|
Specifies the counter user re-synchronization look-ahead window. |
|
Specifies the target DN for which you are configuring the HOTP attributes. To configure the HOTP at the tree level, enable/disable HOTP at the tree level, or configure cn=Login Policy,cn=Security. at tree level, then specify the DN as |
|
Enables or disables the HOTP for the option. Specify ENABLE to enable the HOTP, and DISABLE to disable HOTP. |
|
Specifies the HOTP counter value. The vaild range of the counter value is between 0 and 2147483647. The counter value is set through the option. |
|
Specifies the OATH HOTP secret. For example, the raw byte value of in the hexadecimal format is 3132333435363738393031323334353637383930, or the corresponding ASCII/Extended ASCII string is 12345678901234567890. |
|
Specifies the format of the OATH HOTP secret.
|
To configure a secret and a counter on the user object, run the following command:
./nmashotpconf -h 164.99.91.165 -p 636 -D cn=admin,o=novell -w novell -e /var/opt/novell/eDirectory/data/SSCert.der -t DER -u cn=user1,o=novell -c 0 -s 3132333435363738393031323334353637383930 -f RAW
To enable the OTP for a user object, run the following command:
./nmashotpconf -h 164.99.91.165 -p 636 -D cn=admin,o=novell -w novell -e /var/opt/novell/eDirectory/data/SSCert.der -t DER -u cn=user1,o=novell -o ENABLE
To disable the OTP for a user object, run the following command:
./nmashotpconf -h 164.99.91.165 -p 636 -D cn=admin,o=novell -w novell -e /var/opt/novell/eDirectory/data/SSCert.der -t DER -u cn=user1,o=novell -o DISABLE
Similarly, you can enable or disable the OTP for a container/partition or a root/Login Policy object.
To configure an OTP digit for a user object, run the following command:
./nmashotpconf -h 164.99.91.165 -p 636 -D cn=admin,o=novell -w novell -e /var/opt/novell/eDirectory/data/SSCert.der -t DER -u cn=user1,o=novell -d 6
Similarly, you can set the OTP digit for a parent container/partition root/ Login Policy object.
To configure the user resyncronization window, run the following command:
./nmashotpconf -h 164.99.91.165 -p 636 -D cn=admin,o=novell -w novell -y 5 -e /var/opt/novell/eDirectory/data/SSCert.der -t DER -u cn=user1,o=novell
To configure the counter re-synchronization look ahead window, run the following command:
./nmashotpconf -h 164.99.91.165 -p 636 -D cn=admin,o=novell -w novell -r 6