lemonldap-ng/doc/sources/admin/external2f.rst

External Second Factor
======================

This basic plugin can be used to add a second factor authentication
device (SMS, OTP,...). It uses external commands to send or validate a
second factor. Any language is allowed to call your 2nd factor system.

Commands
--------

Commands receive arguments on command line and must return a 0 code if
succeed, another else. **Nothing must be written to STDOUT**, STDERR is
reported in logs (but may be lost with FastCGI server).

Configuration
~~~~~~~~~~~~~

All parameters are configured in "General Parameters » Portal Parameters
» Extensions » External 2nd Factor".

-  **Activation**
-  **Code regex**: regular expression to create an OTP code. Let this
   option blank to delegate code Generation / Verification to an
   external provider
-  **Send command**: define your command using *$attribute* like in
   rules. Example: ``/usr/local/bin/sendOtp --uid $uid`` or
   ``/usr/local/bin/sendCode --uid $uid --code $code`` if code is
   generated by the Portal
-  **Validation command**: Required ONLY if you delegate code Generation
   / Verification to an external provider. You must also use *$code*
   which is the value entered by user; Example:
   ``/usr/local/bin/verify --uid $uid --code $code``
-  **Re-send interval**: Set this to a non-empty value to allow the user to
   re-send the code in case a transmission error occured. The value sets how
   many seconds the user has to wait before each attempt
-  **Authentication level** (Optional): if you want to overwrite the
   value sent by your authentication module, you can define here the new
   authentication level. Example: 5
-  **Label** (Optional): label that should be displayed to the user on
   the choice screen
-  **Logo** (Optional): logo file (in static/<skin> directory)


.. attention::

    The command line is split in an array and launched with
    exec(). So you don't need to enclose arguments in quotes to  protect your
    system against shell injection. However, you can not use any space except
    to separate arguments.

SELinux note
^^^^^^^^^^^^

If your server is enforcing SELinux policies, make sure your external
script has a label that is allowed to be executed by ``httpd``.

For example, storing your script in ``/usr/local/bin/`` will give it a
``bin_t`` label that will work correctly.

If your script has a ``httpd_sys_script_exec_t`` type, it will only be
able to do external network requests if the SELinux boolean
``httpd_can_network_connect`` is enabled.

If your script has any other label, it will probably not work at all.
First version of imported doc (#1646) 2020-05-14 23:29:41 +02:00			`External Second Factor`
			`======================`

			`This basic plugin can be used to add a second factor authentication`
			`device (SMS, OTP,...). It uses external commands to send or validate a`
			`second factor. Any language is allowed to call your 2nd factor system.`

			`Commands`
			`--------`

			`Commands receive arguments on command line and must return a 0 code if`
			`succeed, another else. Nothing must be written to STDOUT, STDERR is`
doc: fix formatting 2020-05-18 09:56:39 +02:00			`reported in logs (but may be lost with FastCGI server).`
First version of imported doc (#1646) 2020-05-14 23:29:41 +02:00
			`Configuration`
			`~~~~~~~~~~~~~`

			`All parameters are configured in "General Parameters » Portal Parameters`
			`» Extensions » External 2nd Factor".`

			`- Activation`
Sort SF options, fix langs & update doc 2021-11-26 20:50:23 +01:00			`- Code regex: regular expression to create an OTP code. Let this`
First version of imported doc (#1646) 2020-05-14 23:29:41 +02:00			`option blank to delegate code Generation / Verification to an`
			`external provider`
			`- Send command: define your command using $attribute like in`
			rules. Example: ``/usr/local/bin/sendOtp --uid $uid`` or
			``/usr/local/bin/sendCode --uid $uid --code $code`` if code is
			`generated by the Portal`
			`- Validation command: Required ONLY if you delegate code Generation`
			`/ Verification to an external provider. You must also use $code`
			`which is the value entered by user; Example:`
			``/usr/local/bin/verify --uid $uid --code $code``
Documentation for #2762 2022-06-20 15:30:06 +02:00			`- Re-send interval: Set this to a non-empty value to allow the user to`
			`re-send the code in case a transmission error occured. The value sets how`
			`many seconds the user has to wait before each attempt`
First version of imported doc (#1646) 2020-05-14 23:29:41 +02:00			`- Authentication level (Optional): if you want to overwrite the`
			`value sent by your authentication module, you can define here the new`
			`authentication level. Example: 5`
			`- Label (Optional): label that should be displayed to the user on`
			`the choice screen`
Sort SF options, fix langs & update doc 2021-11-26 20:50:23 +01:00			`- Logo (Optional): logo file (in static/<skin> directory)`
First version of imported doc (#1646) 2020-05-14 23:29:41 +02:00

doc: fix markup 2020-05-21 15:13:24 +02:00			`.. attention::`
First version of imported doc (#1646) 2020-05-14 23:29:41 +02:00
			`The command line is split in an array and launched with`
doc: fix formatting 2020-05-18 09:56:39 +02:00			`exec(). So you don't need to enclose arguments in quotes to protect your`
			`system against shell injection. However, you can not use any space except`
			`to separate arguments.`
First version of imported doc (#1646) 2020-05-14 23:29:41 +02:00
			`SELinux note`
			`^^^^^^^^^^^^`

			`If your server is enforcing SELinux policies, make sure your external`
			script has a label that is allowed to be executed by ``httpd``.

			For example, storing your script in ``/usr/local/bin/`` will give it a
			``bin_t`` label that will work correctly.

			If your script has a ``httpd_sys_script_exec_t`` type, it will only be
			`able to do external network requests if the SELinux boolean`
			``httpd_can_network_connect`` is enabled.

			`If your script has any other label, it will probably not work at all.`