Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.
The UnboundID Delivered OTP SASL Mechanism Handler provides a mechanism for performing multifactor authentication using a one-time password (OTP) that has been delivered to the user via some out-of-band channel (e.g., e-mail or SMS).
The deliver one-time password extended operation should be used to cause the one-time password to be sent to the user. See the documentation for the deliver OTP extended operation handler for more details on how it operates.
Once the end user has received the one-time password (which will only be delivered to them after the server has identified the user and verified their static password), the user may then authenticate using the UNBOUNDID-DELIVERED-OTP SASL mechanism. The credentials for this SASL bind request include the following elements:
The UnboundID Delivered OTP SASL Mechanism Handler component inherits from the SASL Mechanism Handler
The following components have a direct aggregation relation from UnboundID Delivered OTP SASL Mechanism Handlers:
The properties supported by this managed object are as follows:
Basic Properties: | Advanced Properties: |
---|---|
description | None |
enabled | |
identity-mapper | |
otp-validity-duration |
Description | A description for this SASL Mechanism Handler |
Default Value | None |
Allowed Values | A string |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | Indicates whether the SASL mechanism handler is enabled for use. |
Default Value | None |
Allowed Values | true false |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Description | The identity mapper that should be used to identify the user(s) targeted in the authentication and/or authorization identities contained in the bind request. This will only be used for "u:"-style identities. |
Default Value | None |
Allowed Values | The DN of any Identity Mapper. If this UnboundID Delivered OTP SASL Mechanism Handler is enabled, then the associated identity mapper must also be enabled. |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Description | The maximum length of time that a one-time password value should be considered valid. |
Default Value | 5 minutes |
Allowed Values | A duration. Lower limit is 1 milliseconds. |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
To list the configured SASL Mechanism Handlers:
dsconfig list-sasl-mechanism-handlers [--property {propertyName}] ...
To view the configuration for an existing SASL Mechanism Handler:
dsconfig get-sasl-mechanism-handler-prop --handler-name {name} [--tab-delimited] [--script-friendly] [--property {propertyName}] ...
To update the configuration for an existing SASL Mechanism Handler:
dsconfig set-sasl-mechanism-handler-prop --handler-name {name} (--set|--add|--remove) {propertyName}:{propertyValue} [(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new UnboundID Delivered OTP SASL Mechanism Handler:
dsconfig create-sasl-mechanism-handler --handler-name {name} --type unboundid-delivered-otp --set enabled:{propertyValue} --set identity-mapper:{propertyValue} [--set {propertyName}:{propertyValue}] ...
To delete an existing SASL Mechanism Handler:
dsconfig delete-sasl-mechanism-handler --handler-name {name}