WebADM questions

[john downes]

Hello,

I am currently developing 2 OTP appliances for a customer and have a couple of queries which I cant find answers for in the documentation.

The customer would like to enforce pin complexity on the user prefix pin such as no use of consecutive numbers, no repeated numbers such as 1111, 12233 can this be done?

I have setup 3 separate mountpoints to 3 different domains. Currently to logon the users have to put their logon details as zone\username. Is there a way to set the default domain against each domain separately?

I have configured a local user domain for local admin accounts. I have setup admin_roles with what I believe are the correct rights to to logon onto the Administrator Portal but when testing the only way they can log in is by being a member of super_admins is this correct?

Thanks

John

[john downes]

To clarify the three domains are read only and haven't had the schemas extended, so I can't create a client policy directly against the domains. I have tried creating a policy under the webadm tree and setting the default domain, the allowed users and groups to the relevant domain groups but it won't resolve the user to the domain in this scenario

[Reiner Keller]

Hi,

the "pin complexity" of TOTP per se can only distinguish between 6 or 8 pin numbers.

When RCDev's pin card hardware such as RC200, RC300 and RC400 hardware tokens are used, these "default values" are set during card registration for the registered user of the card:
OpenOTP.Login Mode:          LDAPMFA
OpenOTP.OTP Password Length: 6
OpenOTP.TOTP Time Step:      30

It should not be possible with TOTP or HOTP, as happens with a German Girocard, to be assigned a PIN '4444', as this is a token that is calculated each time against the current time:
https://en.wikipedia.org/wiki/Time-based_one-time_password#Algorithm

In the admin area you can (or rather: must) set up one to several different "client policies" anyway.
If you can manage different domain users/clients via different client profiles (with different client IDs, IP addresses or similar), you can set up a separate default domain for each profile - which, by the way, was also necessary for our "single-only" domain in order to get the correct default domain active.

Bests

Reiner

[Yoann Traut (RCDevs)]

Hello, 

The PIN complexity is not something supported but I will check with the dev team if they want to implement it. 

Users authorized to login on WebADM Admin GUI are the super_admins defined in webadm.conf and the other_admins defined in your admin_role. If you installed webadm with our SLAPD, the members allowed in your admin role must also have the correct LDAP rights. There is a default group which already has these privileges on our slapd which is cn=other_admin,dc=webadm.

If you use UPN and UPN suffixes are correctly configured in your different WebADM domains, then they can login with their UPN without choosing the Domain or displaying the domain field. Based on the UPN suffix, WebADM will know which domain should be targeted to authenticate a user. Of course you can not have 2 domains with the same UPN suffix in that scenario.

Regards 

[Yoann Traut (RCDevs)]

Hello, 

Dev team is agree to add some configuration regarding the PIN Prefix length and complexity so it will be added in a future version of WebADM/OpenOTP. 

Regards