Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.
The UnboundID Yubikey OTP SASL Mechanism Handler may be used to perform single-factor or two-factor authentication against the Directory Server using a time-based one-time password generated by a YubiKey device.
YubiKey devices need to be registered with the Directory Server before they can be used for authentication. Devices can be registered using the "register YubiKey OTP device" extended operation (or the register-yubikey-otp-device command-line tool that uses this operation), or by updating the target user's entry to include the public ID of the desired YubiKey device (for a 44-character one-time password generated by a YubiKey device, the first 12 characters will be the public ID) in the ds-auth-yubikey-public-id operational attribute.
Once a YubiKey OTP device has been registered with the server for a particular user, that device can be used to authenticate via the UNBOUNDID-YUBIKEY-OTP SASL mechanism. This UnboundID Yubikey OTP SASL Mechanism Handler can be configured to require both the YubiKey one-time password and the user's static password (which would constitute two-factor authentication) or to require just the YubiKey one-time password (which would constitute single-factor authentication). By default, both the one-time password and the static password will be required.
The UnboundID Yubikey OTP SASL Mechanism Handler component inherits from the SASL Mechanism Handler
The following components have a direct aggregation relation from UnboundID Yubikey OTP SASL Mechanism Handlers:
The properties supported by this managed object are as follows:
| Description | A description for this SASL Mechanism Handler |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether the SASL mechanism handler is enabled for use. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The client ID to include in requests to the YubiKey validation server. A client ID and API key may be obtained for free from https://upgrade.yubico.com/getapikey/. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The API key needed to verify signatures generated by the YubiKey validation server. A client ID and API key may be obtained for free from https://upgrade.yubico.com/getapikey/. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
yubikey-api-key-passphrase-provider
| Description | The passphrase provider to use to obtain the API key needed to verify signatures generated by the YubiKey validation server. A client ID and API key may be obtained for free from https://upgrade.yubico.com/getapikey/. |
| Default Value | None |
| Allowed Values | The DN of any Passphrase Provider. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | A reference to an HTTP proxy server that should be used for requests sent to the YubiKey validation service. |
| Default Value | No HTTP proxy server will be used. |
| Allowed Values | The DN of any HTTP Proxy External Server. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The maximum length of time to wait to obtain an HTTP connection. |
| Default Value | 30 s |
| Allowed Values | A duration. Lower limit is 1 milliseconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The maximum length of time to wait for a response to an HTTP request. |
| Default Value | 30 s |
| Allowed Values | A duration. Lower limit is 1 milliseconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The identity mapper that should be used to identify the user(s) targeted in the authentication and/or authorization identities contained in the bind request. This will only be used for "u:"-style identities. |
| Default Value | None |
| Allowed Values | The DN of any Identity Mapper. If this UnboundID Yubikey OTP SASL Mechanism Handler is enabled, then the associated identity mapper must also be enabled. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether a user will be required to provide a static password when authenticating via the UNBOUNDID-YUBIKEY-OTP SASL mechanism. If a static password is required, then this SASL mechanism constitutes a form of multifactor authentication, since both the static password and the one-time password will be required for successful authentication. If a static password is not required, then users will be allowed to authenticate with only a one-time password. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies which key manager provider should be used to obtain a client certificate to present to the validation server when performing HTTPS communication. This may be left undefined if communication will not be secured with HTTPS, or if there is no need to present a client certificate to the validation service. |
| Default Value | None |
| Allowed Values | The DN of any Key Manager Provider. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies which trust manager provider should be used to determine whether to trust the certificate presented by the server when performing HTTPS communication. This may be left undefined if HTTPS communication is not needed, or if the validation service presents a certificate that is trusted by the default JVM configuration (which should be the case for the validation servers that Yubico provides, but may not be the case if an alternate validation server is configured). |
| Default Value | None |
| Allowed Values | The DN of any Trust Manager Provider. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
yubikey-validation-server-base-url (Advanced Property)
| Description | The base URL of the validation server to use to verify one-time passwords. You should only need to change the value if you wish to use your own validation server instead of using one of the Yubico servers. The server must use the YubiKey Validation Protocol version 2.0. |
| Default Value | https://api.yubico.com/wsapi/2.0/verify https://api2.yubico.com/wsapi/2.0/verify https://api3.yubico.com/wsapi/2.0/verify https://api4.yubico.com/wsapi/2.0/verify https://api5.yubico.com/wsapi/2.0/verify |
| Allowed Values | A string |
| Multi-Valued | Yes |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
To list the configured SASL Mechanism Handlers:
dsconfig list-sasl-mechanism-handlers
[--property {propertyName}] ...
To view the configuration for an existing SASL Mechanism Handler:
dsconfig get-sasl-mechanism-handler-prop
--handler-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing SASL Mechanism Handler:
dsconfig set-sasl-mechanism-handler-prop
--handler-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...