Version 5 (modified by 6 years ago) ( diff ) | ,
---|
Installing the OTP login extension
To avoid locking everybody out of BASE it is recommended that the Password login form is enabled before starting the installation for the first time. Login to BASE and go to the Administrate ›› Plug-ins & extensions ›› Overview page. Locate the Login form customization extension point to find it. Once it has been verified that OTP login works properly the Password login form can be disabled if desired.
Installation and updating
- Download the latest
base-otp-x.y.tar.gz
file from the OTP login main page. - Unpack the downloaded file to a directory of your choice.
- If this is a FIRST-TIME INSTALLATION:
- Create a master password used for encrypting OTP secret keys (see below)
- Update the BASE database with additional columns in the users table (see below)
- Make additional configuration settings (see below)
- Copy the
base-otp.jar
file to your BASE plug-ins directory. Look in yourbase.config
file if you don't know where this is. - Log in to BASE as an administrator and go to the Administrate ›› Plug-ins & Extensions ›› Overview page.
- If this is a FIRST-TIME INSTALLATION:
- Verify that the Password login form is enabled.
- Run the installation wizard and select to install
base-otp.jar
. - Done.
FIRST-TIME INSTALLATION
Before installing the OTP login extension for the first time there are a few configuration steps that must be performed. Unless otherwise noted, these steps only need to be done the first time.
A. Create a master password
The master password is used as an encryption key for encrypting the OTP secret keys that are are assigned to user accounts. Note that all user accounts have their own secret keys for OTP and that they are randomly generated. Once the master password has been set it must not be changed since that will make all existing OTP keys inaccessible¹.
- Open the
base-otp.properties
file. - Change the
master-password
setting to some other password. The usual recommendations about password length and complexity apply. - Move or copy the
base-otp.properties
file to theWEB-INF/classes
directory of your BASE installation. If you have a copy in some other place, make sure that no other users can read it.
¹) If, for some reason, the master password need to be changed then the Users.otp_secretkey
column
in the database must be nullified for all user accounts. There is no built-in wizard for this, but it can
be done by executing the SQL below. After the reset, all users must then re-configure their OTP setup
before they can login again.
// For PostgreSQL, MySQL users should modify as needed update "Users" set "otp_secretkey"=NULL
B. Update the BASE database with additional columns in the users table
- Move or copy the
otp-extended-properties.xml
file to theWEB-INF/classes/extended-properties
directory. - Shut down the BASE server including any job agents.
- Run the
updatedb.sh
script shipped with the BASE installation. This should create additional column in theUsers
table that are used to store OTP-related information. - Restart the BASE server and job agents.
Additional configuration settings
There are some additional configuration settings that can be made in the base-otp.properties
file. This step is optional. If you are installing multiple login managers on the same system you probably want to check the value for the allow-other-authentication
setting. The authentication methods published by this extension are named otp-only
and otp+password
. You may need this when configuring the other login managers.
Note! Since version 1.2 changes to the configuration file are automatically detected and applied. There is no longer any need to re-start the server.
login-method
Set the value to otp+password
(the default) to require users to specify both the password and an OTP or to otp-only
to only use an OTP.
no-otp
Comma- or whitespace- separated list of application ids for which OTP login should be disabled. For example, if you have installed the FTP server but do not want to use OTP for that:
no-otp = net.sf.basedb.clients.ftp
require-otp
Comma- or whitespace- separated list of application ids for which OTP login is required. Users that has not configured OTP login will not be able to use those clients. For example, to force all users of the web client to use OTP:
require-otp = net.sf.basedb.clients.web
allow-other-authentication (since 1.2)
Comma- or whitespace- separated list of other authentication methods that are allowed even if a user has configured OTP. Use *
as a wildcard for all other authentication methods (including password authentication). Examples:
# Also allow password authentication even if a user has OTP allow-other-authentication = password # Allow all other authentication methods allow-other-authentication = * # If the YubiKey login extension is also installed we can # allow users to use either OTP or YubiKey allow-other-authentication = yubikey