5.2. Administrative Interfaces¶
Note
To every management controller you can add the parameter httperror followed by an HTTP error code. If LinOTP would return HTTP 200/OK with status: false in the JSON response indicating an internal error then LinOTP will instead return a e.g. HTTP 500 error code.
5.2.1. Admin Interface¶
Managing tokens can be performed via an HTTPs Interface just like the authentication via /validate/check and /validate/simplecheck. The main API is located at the controller /admin. There you can find functions like this:
- /admin/init: Enroll token
- /admin/enable: Enable token
- /admin/disable: Disable token
- /admin/show: List tokens
- /admin/delete: Delete tokens
Other controllers are
- /manage: provides the Web UI.
- /system: provides the functions to configure the LinOTP server.
- /license: provides the functions to set and get license information.
- /audit: provides the functions for the audit trail.
5.2.1.1. Orphanced tokens¶
Orphaned tokens are tokens, that are still assigned to the user, but where the user object was deleted from the user database.
Using the method /admin/show you can also view such orphaned tokens by calling the method:
/admin/show?user='/:no%20user%20info:/'
You can also find tokens that have no users or tokens that are assigned to no realm:
/admin/show?user=''
/admin/show?realm=''
5.2.2. Admin Controller¶
See documentation for AdminController class: linotp.controllers.admin.AdminController
5.2.3. System Controller¶
See documentation for SystemController class: linotp.controllers.system.SystemController
5.2.4. Session protection¶
Starting with LinOTP 2.4.1 the API provides an additional session protection. This means all functions that change data need to pass an additional session parameter in the URL parameters like this:
If the session is not passed the server will respond with a 401 Not authenticated. To get such a session, the client needs to send a session request:
This will set a cookie in the clients cookie store, which also needs to be passed with every request. Thus the clients needs to pass the cookie and the session parameter. The server will compare these two values and only perform the required action if the session values are the same.
5.2.4.1. Disabling session protection¶
You may disable session protection. Please note that you should not do this when accessing LinOTP with a web browser. You should only disable session protection if you fully understand what you are doing.
In /etc/linotp2/linotp.ini add the following line to the DEFAULT section:
linotpNoSessionCheck = 10.1.2.3, 192.168.0.0/24
You can add any IP address or subnet in CIDR notation seperated by comma.