NetIQ Documentation: Novell Modular Authentication Services 3.3.4 Administration Guide

7.5 Configuration

To provision an eDirectory user for an HOTP-based authentication, do the following configuration settings according to the RFC 4226 standard.

Enable HOTP on the user/container/partition root/Login Policy object in the same order of precedence.
Set the HOTP-shared secret key and counter on the user. These two settings together determine the HOTP value.
Configure the number of digits in HOTP values on the user/ container/partition root/Login Policy object.The valid range of digits is from 6 to 9.
Set the resynchronization windows as follows:
- Set the tree-wide resynchronization window at the Login Policy object.
- Set the user-specific resynchronization window at the user level. This is needed only when the client and server are out of sync.

To execute the nmashotpconf utility, perform the following steps:

Specify the directory where you unzipped the NMAS HOTP utility.

The unzipped file contains the linux and linux_x64 directories for the 32-bit and 64-bit Linux machines.

The linux and linux_x64 directories contain the nmashotpconf executable and libnmasext.so files.
Go to the linux/final directory on a Linux 32-bit machine, else go to the linux_x64/final directory on a Linux 64-bit machine.

Download the trusted root certificate and store it locally.

Refer to the Exporting a Trusted Root or Public Key Certificate section in the Novell Certificate Server 3.3 Administration Guide.

For example,

 nmashotpconf -h <host_name> [-p <ssl_port>] -D <login_dn> [-w <password>]
  -e <trusted_cert> -t <cert_type> [-r <resync_window>] [-y
  <user_resync_window>] [-u <hotp_dn> [-o <hotp_options>] [-d digits] [-c
  <counter>] [-s <secret> -f <secret_format>]]

Option	Description
host_name	Specifies the LDAP server name or the IP address of the server.
ssl_port	Specifies the SSL port on the LDAP server. The default value is 636.
login_dn	Specifies the DN for the user.
password	Specifies the password for the user DN.
trusted_cert	Specifies the trusted root certificate file.
cert_type	Specifies the trusted root certificate encoding type. For example, DER means der-encoded file, and B64 means b64-encoded file.
encoded file digits	Specifies the number of digits used as the HOTP value. NOTE:This setting is applicable to all the users in the tree.
resync_window	Specifies the counter re-synchronization look-ahead window.
user_resync_window	Specifies the counter user re-synchronization look-ahead window.
hotp_dn	Specifies the target DN for which you are configuring the HOTP attributes. To configure the HOTP at the tree level, enable/disable HOTP at the tree level, or configure digits at tree level, then specify the DN as cn=Login Policy,cn=Security.
hotp_options	Enables or disables the HOTP for the hotp_dn option. Specify ENABLE to enable the HOTP, and DISABLE to disable HOTP.
counter	Specifies the HOTP counter value. The vaild range of the counter value is between 0 and 2147483647. The counter value is set through the hotp_dn option.
hotp_dn secret	Specifies the OATH HOTP secret. For example, the raw byte value of secret in the hexadecimal format is 3132333435363738393031323334353637383930, or the corresponding ASCII/Extended ASCII string is 12345678901234567890.
secret_format	Specifies the format of the OATH HOTP secret. STRING: This format is used for an ASCII/Extended ASCII string. For example, 12345678901234567890. RAW: This format is used for raw byte values in a hexadecimal format. For example, 3132333435363738393031323334353637383930, where hexadecimal value of the first character is 31, the value of the second character is 32, and so on.

Examples:

To configure a secret and a counter on the user object, run the following command:

./nmashotpconf -h 164.99.91.165  -p 636 -D cn=admin,o=novell -w novell   -e   /var/opt/novell/eDirectory/data/SSCert.der  -t  DER  -u cn=user1,o=novell  -c 0   -s   3132333435363738393031323334353637383930 -f  RAW

To enable the OTP for a user object, run the following command:

./nmashotpconf -h 164.99.91.165  -p 636 -D cn=admin,o=novell -w novell   -e   /var/opt/novell/eDirectory/data/SSCert.der  -t  DER  -u cn=user1,o=novell  -o ENABLE

To disable the OTP for a user object, run the following command:

./nmashotpconf -h 164.99.91.165  -p 636 -D cn=admin,o=novell -w novell   -e   /var/opt/novell/eDirectory/data/SSCert.der  -t  DER  -u cn=user1,o=novell  -o DISABLE

Similarly, you can enable or disable the OTP for a container/partition or a root/Login Policy object.

To configure an OTP digit for a user object, run the following command:
```
./nmashotpconf -h 164.99.91.165  -p 636 -D cn=admin,o=novell -w novell   -e /var/opt/novell/eDirectory/data/SSCert.der  -t  DER  -u cn=user1,o=novell  -d 6
```
Similarly, you can set the OTP digit for a parent container/partition root/ Login Policy object.

To configure the user resyncronization window, run the following command:

./nmashotpconf -h 164.99.91.165  -p 636 -D cn=admin,o=novell -w novell   -y 5 -e   /var/opt/novell/eDirectory/data/SSCert.der  -t  DER  -u cn=user1,o=novell

To configure the counter re-synchronization look ahead window, run the following command:

./nmashotpconf -h 164.99.91.165 -p 636 -D cn=admin,o=novell -w novell     -r 6