6.1.1.2.1.2. linotp.controllers.admin module¶
admin controller - interfaces to administrate LinOTP
- class linotp.controllers.admin.AdminController(*args, **kw)[source]¶
Bases: linotp.lib.base.BaseController
The linotp.controllers are the implementation of the web-API to talk to the LinOTP server. The AdminController is used for administrative tasks like adding tokens to LinOTP, assigning tokens or revoking tokens. The functions of the AdminController are invoked like this
https://server/admin/<functionname>The functions are described below in more detail.
- assign()[source]¶
- method:
- admin/assign
- description:
- assigns a token to a user, i.e. a binding between the token and the user is created.
- arguments:
- serial - required - the serial number / identifier of the token
- user - required - login user name
- pin - optional - the pin of the user pass
- returns:
- a json result with a boolean
- “result”: true
- exception:
- if an error occurs an exception is serialized and returned
- check_serial()[source]¶
- method
- admin/check_serial
- description:
- This function checks, if a given serial will be unique. It returns True if the serial does not yet exist and new_serial as a new value for a serial, that does not exist, yet
- arguments:
- serial - required- the serial to be checked
- returns:
- a json result with a new suggestion for the serial
- exception:
- if an error occurs an exception is serialized and returned
- checkstatus()[source]¶
show the status either
- of one dedicated challenge
- of all challenges of a token
- of all challenges belonging to all tokens of a user
Parameters: - transactionid/state – the transaction id of the challenge
- serial – serial number of the token - will show all challenges
- user –
Returns: json result of token and challenges
- copyTokenPin()[source]¶
- method:
- admin/copyTokenPin
- description:
- copies the token pin from one token to another
- arguments:
- from - required - serial of token from
- to - required - serial of token to
- returns:
- a json result with a boolean
- “result”: true
- exception:
- if an error occurs an exception is serialized and returned
- copyTokenUser()[source]¶
- method:
- admin/copyTokenUser
- description:
- copies the token user from one token to another
- arguments:
- from - required - serial of token from
- to - required - serial of token to
- returns:
- a json result with a boolean
- “result”: true
- exception:
- if an error occurs an exception is serialized and returned
- disable()[source]¶
- method:
- admin/disable
- description:
- disables a token given by serial or all tokens of a user
- arguments:
- serial - optional
- user - optional
- returns:
- a json result with a boolean
- “result”: true
- exception:
- if an error occurs an exception is serialized and returned
- enable()[source]¶
- method:
- admin/enable
- description:
- enables a token or all tokens of a user
- arguments:
- serial - optional
- user - optional
- returns:
- a json result with a boolean
- “result”: true
- exception:
- if an error occurs an exception is serialized and returned
- getSerialByOtp()[source]¶
- method:
- admin/getSerialByOtp
- description:
- searches for the token, that generates the given OTP value. The search can be restricted by several critterions
- arguments:
- otp - required. Will search for the token, that produces this OTP value
- type - optional, will only search in tokens of type
- realm - optional, only search in this realm
- assigned - optional. 1: only search assigned tokens, 0: only search unassigned tokens
- returns:
- a json result with the serial
- exception:
- if an error occurs an exception is serialized and returned
- getsession()[source]¶
This generates a session key and sets it as a cookie set_cookie is defined in python-webob:
def set_cookie(self, key, value='', max_age=None, path='/', domain=None, secure=None, httponly=False, version=None, comment=None, expires=None, overwrite=False):
- init()[source]¶
- method:
- admin/init
- description:
- creates a new token.
- arguments:
- otpkey - required - the hmac Key of the token
- genkey - required - =1, if key should be generated. We either need otpkey or genkey
- keysize - optional - either 20 or 32. Default is 20
- serial - required - the serial number / identifier of the token
- description - optional
- pin - optional - the pin of the user pass
- user - optional - login user name
- realm - optional - realm of the user
- type - optional - the type of the token
- tokenrealm - optional - the realm a token should be put into
- otplen - optional - length of the OTP value
- hashlib - optional - used hashlib sha1 oder sha256
- ocra arguments:
for generating OCRA Tokens type=ocra you can specify the following parameters:
- ocrasuite - optional - if you do not want to use the default ocra suite OCRA-1:HOTP-SHA256-8:QA64
- sharedsecret - optional - if you are in Step0 of enrolling an OCRA/QR token the sharedsecret=1 specifies, that you want to generate a shared secret
- activationcode - optional - if you are in Step1 of enrolling an OCRA token you need to pass the activation code, that was generated in the QRTAN-App
- returns:
- a json result with a boolean
- “result”: true
- exception:
- if an error occurs an exception is serialized and returned
- loadtokens()[source]¶
- method:
- admin/loadtokens
- description:
- loads a whole token file to the server
- arguments:
- file - the file in a post request
- type - the file type.
- returns:
- a json result with a boolean
- “result”: true
- exception:
- if an error occurs an exception is serialized and returned
- losttoken()[source]¶
- method:
- admin/losttoken
- description:
- creates a new password token and copies the PIN and the user of the old token to the new token. The old token is disabled.
- arguments:
- serial - serial of the old token
- returns:
- a json result with the new serial an the password
- exception:
- if an error occurs an exception is serialized and returned
- remove()[source]¶
- method:
- admin/remove
- description:
- deletes either a certain token given by serial or all tokens of a user
- arguments:
- serial - optional
- user - optional
- returns:
- a json result with a boolean
- “result”: true
- exception:
- if an error occurs an exception is serialized and returned
- reset()[source]¶
- method:
- admin/reset
- description:
- reset the FailCounter of a Token
- arguments:
- user or serial - to identify the tokens
- returns:
- a json result with a boolean
- “result”: true
- exception:
- if an error occurs an exception is serialized and returned
- resync()[source]¶
- method:
- admin/resync - resync a token to a new counter
- description:
- this function resync the token, if the counter on server side is out of sync with the physica token.
- arguments:
- serial - serial or user required
- user - s.o.
- otp1 - the next otp to be found
- otp2 - the next otp after the otp1
- returns:
- a json result with a boolean
- “result”: true
- exception:
- if an error occurs an exception is serialized and returned
- set()[source]¶
- method:
- admin/set
- description:
- this function is used to set many different values of a token.
- arguments:
- serial - optional
- user - optional
- pin - optional - set the OTP PIN
- MaxFailCount - optional - set the maximum fail counter of a token
- SyncWindow - optional - set the synchronization window of the token
- OtpLen - optional - set the OTP Lenght of the token
- CounterWindow - optional - set the counter window (blank presses)
- hashlib - optioanl - set the hashing algo for HMAC tokens. This can be sha1, sha256, sha512
- timeWindow - optional - set the synchronize window for timebased tokens (in seconds)
- timeStep - optional - set the timestep for timebased tokens (usually 30 or 60 seconds)
- timeShift - optional - set the shift or timedrift of this token
- countAuthSuccessMax - optional - set the maximum allowed successful authentications
- countAuthSuccess - optional - set the counter of the successful authentications
- countAuth - optional - set the counter of authentications
- countAuthMax - optional - set the maximum allowed authentication tries
- validityPeriodStart - optional - set the start date of the validity period. The token can not be used before this date
- validityPeriodEnd - optional - set the end date of the validaity period. The token can not be used after this date
- phone - set the phone number for an SMS token
- returns:
- a json result with a boolean
- “result”: true
- exception:
- if an error occurs an exception is serialized and returned
- setPin()[source]¶
- method:
- admin/set
- description:
- This function sets the smartcard PINs of a eTokenNG OTP. The userpin is used to store the mOTP PIN of mOTP tokens! !!! For setting the OTP PIN, use the function /admin/set!
- arguments:
- serial - required
- userpin - optional: store the userpin
- sopin - optional: store the sopin
- returns:
- a json result with a boolean
- “result”: true
- exception:
- if an error occurs an exception is serialized and returned
- show()[source]¶
- method:
- admin/show
- description:
- displays the list of the available tokens
- arguments:
- serial - optional: only this serial will be displayed
- user - optional: only the tokens of this user will be displayed. If the user does not exist, linotp will search tokens of users, who contain this substring. TODO: This can be very time consuming an will be changed in the next release to use wildcards.
- filter - optional: takes a substring to search in table token columns
- viewrealm - optional: takes a realm, only the tokens in this realm will be displayed
- sortby - optional: sort the output by column
- sortdir - optional: asc/desc
- page - optional: reqeuest a certain page
- pagesize- optional: limit the number of returned tokens
- user_fields - optional: additional user fields from the userid resolver of the owner (user)
- outform - optional: if set to “csv”, than the token list will be given in CSV
- returns:
- a json result with: { “head”: [], “data”: [ [row1], [row2] .. ] }
- exception:
- if an error occurs an exception is serialized and returned
- testresolver()[source]¶
- method:
- admin/testresolver
- description:
- This method tests a useridresolvers configuration
- arguments:
- type - “LDAP”: depending on the type there are other parameters:
- “SQL”
- LDAP:
- BINDDN
- BINDPW
- LDAPURI
- TIMEOUT
- LDAPBASE
- LOGINNAMEATTRIBUTE
- LDAPSEARCHFILTER
- LDAPFILTER
- USERINFO
- LDAPSEARCHFILTER
- SIZELIMIT
- NOREFERRALS
- CACERTIFICATE
- SQL:
- Driver
- Server
- Port
- Database
- User
- Password
- Table
- returns:
- a json result with a boolean
- “result”: true
- exception:
- if an error occurs an exception is serialized and returned
- tokenrealm()[source]¶
- method:
- admin/tokenrealm - set the realms a token belongs to
- description:
- sets the realms of a token
- arguments:
- serial - required - serialnumber of the token
- realms - required - comma seperated list of realms
- unassign()[source]¶
- method:
- admin/unassign - remove the assigned user from the token
- description:
- unassigns a token from a user. i.e. the binding between the token and the user is removed
- arguments:
- serial - required - the serial number / identifier of the token
- user - optional
- returns:
- a json result with a boolean
- “result”: true
- exception:
- if an error occurs an exception is serialized and returned
- userlist()[source]¶
- method:
- admin/userlist - list all users
- description:
- lists the user in a realm
- arguments:
- <searchexpr> - will be retrieved from the UserIdResolverClass
- realm - a realm, which is a collection of resolver configurations
- resConf - a destinct resolver configuration
- returns:
- a json result with a boolean
- “result”: true
- exception:
- if an error occurs an exception is serialized and returned