UnboundID Yubikey OTP SASL Mechanism Handler

Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.

The UnboundID Yubikey OTP SASL Mechanism Handler may be used to perform single-factor or two-factor authentication against the Directory Server using a time-based one-time password generated by a YubiKey device.

YubiKey devices need to be registered with the Directory Server before they can be used for authentication. Devices can be registered using the "register YubiKey OTP device" extended operation (or the register-yubikey-otp-device command-line tool that uses this operation), or by updating the target user's entry to include the public ID of the desired YubiKey device (for a 44-character one-time password generated by a YubiKey device, the first 12 characters will be the public ID) in the ds-auth-yubikey-public-id operational attribute.
Once a YubiKey OTP device has been registered with the server for a particular user, that device can be used to authenticate via the UNBOUNDID-YUBIKEY-OTP SASL mechanism. This UnboundID Yubikey OTP SASL Mechanism Handler can be configured to require both the YubiKey one-time password and the user's static password (which would constitute two-factor authentication) or to require just the YubiKey one-time password (which would constitute single-factor authentication). By default, both the one-time password and the static password will be required.

Parent Component Relations from This Component Properties dsconfig Usage

Parent Component

The UnboundID Yubikey OTP SASL Mechanism Handler component inherits from the SASL Mechanism Handler

Relations from This Component

The following components have a direct aggregation relation from UnboundID Yubikey OTP SASL Mechanism Handlers:

Properties

The properties supported by this managed object are as follows:


Basic Properties: Advanced Properties:
 description  yubikey-validation-server-base-url
 enabled
 yubikey-client-id
 yubikey-api-key
 yubikey-api-key-passphrase-provider
 http-proxy-external-server
 http-connect-timeout
 http-response-timeout
 identity-mapper
 require-static-password
 key-manager-provider
 trust-manager-provider

Basic Properties

description

Description
A description for this SASL Mechanism Handler
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

enabled

Description
Indicates whether the SASL mechanism handler is enabled for use.
Default Value
None
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

yubikey-client-id

Description
The client ID to include in requests to the YubiKey validation server. A client ID and API key may be obtained for free from https://upgrade.yubico.com/getapikey/.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

yubikey-api-key

Description
The API key needed to verify signatures generated by the YubiKey validation server. A client ID and API key may be obtained for free from https://upgrade.yubico.com/getapikey/.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

yubikey-api-key-passphrase-provider

Description
The passphrase provider to use to obtain the API key needed to verify signatures generated by the YubiKey validation server. A client ID and API key may be obtained for free from https://upgrade.yubico.com/getapikey/.
Default Value
None
Allowed Values
The DN of any Passphrase Provider.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

http-proxy-external-server

Description
A reference to an HTTP proxy server that should be used for requests sent to the YubiKey validation service.
Default Value
No HTTP proxy server will be used.
Allowed Values
The DN of any HTTP Proxy External Server.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

http-connect-timeout

Description
The maximum length of time to wait to obtain an HTTP connection.
Default Value
30 s
Allowed Values
A duration. Lower limit is 1 milliseconds.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

http-response-timeout

Description
The maximum length of time to wait for a response to an HTTP request.
Default Value
30 s
Allowed Values
A duration. Lower limit is 1 milliseconds.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

identity-mapper

Description
The identity mapper that should be used to identify the user(s) targeted in the authentication and/or authorization identities contained in the bind request. This will only be used for "u:"-style identities.
Default Value
None
Allowed Values
The DN of any Identity Mapper. If this UnboundID Yubikey OTP SASL Mechanism Handler is enabled, then the associated identity mapper must also be enabled.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

require-static-password

Description
Indicates whether a user will be required to provide a static password when authenticating via the UNBOUNDID-YUBIKEY-OTP SASL mechanism. If a static password is required, then this SASL mechanism constitutes a form of multifactor authentication, since both the static password and the one-time password will be required for successful authentication. If a static password is not required, then users will be allowed to authenticate with only a one-time password.
Default Value
true
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

key-manager-provider

Description
Specifies which key manager provider should be used to obtain a client certificate to present to the validation server when performing HTTPS communication. This may be left undefined if communication will not be secured with HTTPS, or if there is no need to present a client certificate to the validation service.
Default Value
None
Allowed Values
The DN of any Key Manager Provider.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

trust-manager-provider

Description
Specifies which trust manager provider should be used to determine whether to trust the certificate presented by the server when performing HTTPS communication. This may be left undefined if HTTPS communication is not needed, or if the validation service presents a certificate that is trusted by the default JVM configuration (which should be the case for the validation servers that Yubico provides, but may not be the case if an alternate validation server is configured).
Default Value
None
Allowed Values
The DN of any Trust Manager Provider.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action


Advanced Properties

yubikey-validation-server-base-url (Advanced Property)

Description
The base URL of the validation server to use to verify one-time passwords. You should only need to change the value if you wish to use your own validation server instead of using one of the Yubico servers. The server must use the YubiKey Validation Protocol version 2.0.
Default Value
https://api.yubico.com/wsapi/2.0/verify
https://api2.yubico.com/wsapi/2.0/verify
https://api3.yubico.com/wsapi/2.0/verify
https://api4.yubico.com/wsapi/2.0/verify
https://api5.yubico.com/wsapi/2.0/verify
Allowed Values
A string
Multi-Valued
Yes
Required
Yes
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To list the configured SASL Mechanism Handlers:

dsconfig list-sasl-mechanism-handlers
     [--property {propertyName}] ...

To view the configuration for an existing SASL Mechanism Handler:

dsconfig get-sasl-mechanism-handler-prop
     --handler-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing SASL Mechanism Handler:

dsconfig set-sasl-mechanism-handler-prop
     --handler-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...