Utilities and Command Line Tools for OpenOTP
  Download PDF

1. Introduction

In this HowTo, we will demonstrate some useful scripts available for OpenOTP and how to use them.

2. OpenOTP Utilities and Scripts

Some scripts are available in:

[root@webadm]# cd /opt/webadm/websrvs/openotp/bin
[root@webadm bin]# ll
total 44
-rwxr-xr-x 1 root root  4588  8 oct.  11:01 authtest
-rwxr-xr-x 1 root root  4927  8 oct.  11:01 pskc2invrcdevs
-rwxr-xr-x 1 root root 11384  8 oct.  11:01 report
-rwxr-xr-x 1 root root  3887  8 oct.  11:01 safenet2inv
-rwxr-xr-x 1 root root  2073  8 oct.  11:01 status

3. authtest

This script allows you to perform a test login through the console:

[root@webadm1 bin]# ./authtest
Enter username: administrateur
Enter domain: rcdevs.com
Enter LDAP password: password
Enter OTP password: 945796
Authentication success! 
[root@webadm1 bin]# 

4. pskc2inv

This script can be used to convert a PSKC token seed file into an inventory file supported by WebADM.

This is a PSKC file for an RC200 hardware token (sensitive information are obfuscated):

[root@webadm bin]# cat inv.xml

<?xml version="1.0" encoding="UTF-8"?>
<!--
OATH PSKC Import File for RCDevs WebADM
Generated on October 11, 2018, 11:29 am
-->

<KeyContainer Version="1.0" xmlns="urn:ietf:params:xml:ns:keyprov:pskc" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<KeyPackage>
   <DeviceInfo>
      <SerialNo>230852XXXXXXX</SerialNo>
      <Model>RCDevs RC200-T6</Model>
   </DeviceInfo>
   <Key Algorithm="urn:ietf:params:xml:ns:keyprov:pskc:totp" Id="230852XXXXXXX">
      <AlgorithmParameters>
         <ResponseFormat Length="6" Encoding="DECIMAL"/>
      </AlgorithmParameters>
      <Data>
         <Secret>
            <PlainValue>tdxn5XXXXXXXXXXXXXXXjUxaZXc=</PlainValue>
         </Secret>
         <Time>
            <PlainValue>0</PlainValue>
         </Time>
         <TimeInterval>
            <PlainValue>30</PlainValue>
         </TimeInterval>
      </Data>
   </Key>
</KeyPackage>
</KeyContainer>
[root@webadm bin]# ./pskc2inv
WebADM Inventory converter for OATH PSKC files
Usage: pskc2inv <pskc-file> <inventory-file> [<decryption-key>]
[root@webadm bin]# ./pskc2inv inv.xml webadminventory.xml
Successfully converted 1 PSKC tokens.
[root@webadm bin]# 
[root@webadm bin]# cat webadminventory.xml

# OpenOTP Inventory export for OATH PSKC
# Generated by OpenOTP on October 11, 2018 11:32 am

"Type", "Reference", "Description", "Data"
"OTP Token", "230852XXXXXXX", "RCDevs RC200-T6", "TokenType=VE9UUA==,TokenKey=tdxn5XXXXXXXXXXXXXXXjUxaZXc=,OTPLength=Ng==,TOTPTimeStep=MzA="

This inventory file can be imported through WebADM GUI and used for OpenOTP authentications. So with this script, you are able to convert every standard OATH Tokens seeds file from any provider to the WebADM format and use it with OpenOTP.

5. report

This script can be used to generate some reporting files. Options are describe below:

[root@webadm bin]# ./report 
Usage: report [-y] [-r] [-t] [-d] [-s <user settings>] [-f <search filter>] DOMAIN1 [DOMAIN2] ... [DOMAINX]
Domain 1..X is a list of WebADM Domains where OpenOTP user activity will be reported.
Options:
  -y : Do not prompt for validation (to be used with cron jobs).
  -r : Reset statistic data.
  -t : Include OTP Token information (type, serial and model).
  -d : Include U2F Device information (version).
  -b : Include user blocking information.
  -e : Include AD password expiry information.
  -s <user settings> : Display user settings (ex: "LoginMode,OTPType")
  -f <search filter> : Use a custom LDAP search filter.
If no search filter is defined, all user objects with the webadmAccount
extension will be included in the report.
[root@webadm1 bin]# ./report -t -d -e rcdevs
Are you sure you want to run report (y/n)? y
# OpenOTP user activity report.
# Generated on October 11, 2018 12:30 pm

Domain, UserDN, LastLogin, LoginCount, RejectCount, TokenType, TokenSerial, TokenModel, TokenExpire, Token2Type, Token2Serial, Token2Model, Token2Expire, Token3Type, Token3Serial, Token3Model, Token3Expire, Device1Name, Device2Name, Device3Name, Device4Name, Device5Name, PassworExpired
"rcdevs", "CN=Administrateur,CN=Users,DC=rcdevs,DC=com", "2018-10-11 10:07:57", "128", "72", "TOTP", "39DEE717-500D-4B31-BF90-A845FC7D81A7", "iPhone10,5", "Never", "None", "None", "None", "Never", "None", "None", "None", "Never", "None", "None", "None", "None", "None", "No"
"rcdevs", "CN=YO_AD-DC,OU=Domain Controllers,DC=rcdevs,DC=com", "Never", "0", "0", "None", "None", "None", "Never", "None", "None", "None", "Never", "None", "None", "None", "Never", "None", "None", "None", "None", "None", "No"
"rcdevs", "CN=krbtgt,CN=Users,DC=rcdevs,DC=com", "Never", "0", "0", "None", "None", "None", "Never", "None", "None", "None", "Never", "None", "None", "None", "Never", "None", "None", "None", "None", "None", "Yes"
"rcdevs", "CN=YO_DC,OU=Domain Controllers,DC=rcdevs,DC=com", "Never", "0", "0", "None", "None", "None", "Never", "None", "None", "None", "Never", "None", "None", "None", "Never", "None", "None", "None", "None", "None", "No"
"rcdevs", "CN=Web ADM,OU=Services,DC=rcdevs,DC=com", "Never", "0", "0", "None", "None", "None", "Never", "None", "None", "None", "Never", "None", "None", "None", "Never", "None", "None", "None", "None", "None", "No"
"rcdevs", "CN=push user,OU=Utils,DC=rcdevs,DC=com", "Never", "0", "0", "None", "None", "None", "Never", "None", "None", "None", "Never", "None", "None", "None", "Never", "None", "None", "None", "None", "None", "Yes"
"rcdevs", "CN=scope,OU=TestScope,DC=rcdevs,DC=com", "Never", "0", "0", "None", "None", "None", "Never", "None", "None", "None", "Never", "None", "None", "None", "Never", "None", "None", "None", "None", "None", "No"
"rcdevs", "CN=scope2,OU=testscope2,OU=TestScope,DC=rcdevs,DC=com", "Never", "0", "0", "None", "None", "None", "Never", "None", "None", "None", "Never", "None", "None", "None", "Never", "None", "None", "None", "None", "None", "Yes"
"rcdevs", "CN=proxyuser,CN=Users,DC=rcdevs,DC=com", "Never", "0", "0", "None", "None", "None", "Never", "None", "None", "None", "Never", "None", "None", "None", "Never", "None", "None", "None", "None", "None", "No"
"rcdevs", "CN=adfs user,CN=Users,DC=rcdevs,DC=com", "Never", "0", "0", "None", "None", "None", "Never", "None", "None", "None", "Never", "None", "None", "None", "Never", "None", "None", "None", "None", "None", "No"
"rcdevs", "CN=vagrant,CN=Users,DC=rcdevs,DC=com", "2018-10-01 16:47:53", "3", "0", "TOTP", "39DEE717-500D-4B31-BF90-A845FC7D81A7", "iPhone10,5", "Never", "None", "None", "None", "Never", "None", "None", "None", "Never", "None", "None", "None", "None", "None", "No"
"rcdevs", "CN=yoann,CN=Users,DC=rcdevs,DC=com", "2018-09-13 14:46:17", "14", "5", "TOTP", "39DEE717-500D-4B31-BF90-A845FC7D81A7", "iPhone10,5", "Never", "None", "None", "None", "Never", "None", "None", "None", "Never", "None", "None", "None", "None", "None", "No"
"rcdevs", "CN=test@test,CN=Users,DC=rcdevs,DC=com", "Never", "0", "0", "None", "None", "None", "Never", "None", "None", "None", "Never", "None", "None", "None", "Never", "None", "None", "None", "None", "None", "No"
"rcdevs", "CN=ff,OU=ADFS,DC=rcdevs,DC=com", "Never", "0", "0", "None", "None", "None", "Never", "None", "None", "None", "Never", "None", "None", "None", "Never", "None", "None", "None", "None", "None", "No"
"rcdevs", "CN=webmaster,CN=Users,DC=rcdevs,DC=com", "2018-07-02 15:17:19", "1", "0", "TOTP", "39DEE717-500D-4B31-BF90-A845FC7D81A7", "iPhone10,5", "Never", "None", "None", "None", "Never", "None", "None", "None", "Never", "None", "None", "None", "None", "None", "No"
"rcdevs", "CN=OracleGuest,CN=Users,DC=rcdevs,DC=com", "Never", "0", "0", "None", "None", "None", "Never", "None", "None", "None", "Never", "None", "None", "None", "Never", "None", "None", "None", "None", "None", "No"
"rcdevs", "CN=perttu,CN=Users,DC=rcdevs,DC=com", "Never", "0", "0", "TOTP", "39DEE717-500D-4B31-BF90-A845FC7D81A7", "iPhone10,5", "Never", "None", "None", "None", "Never", "None", "None", "None", "Never", "None", "None", "None", "None", "None", "No"
"rcdevs", "CN=Admin,OU=localuser,DC=rcdevs,DC=com", "2018-10-09 15:26:24", "47", "46", "TOTP", "None", "None", "Never", "None", "None", "None", "Never", "None", "None", "None", "Never", "None", "None", "None", "None", "None", "No"
"rcdevs", "CN=testadfs,CN=Users,DC=rcdevs,DC=com", "2018-08-31 11:21:40", "3", "0", "TOTP", "39DEE717-500D-4B31-BF90-A845FC7D81A7", "iPhone10,5", "Never", "None", "None", "None", "Never", "None", "None", "None", "Never", "None", "None", "None", "None", "None", "No"
"rcdevs", "CN=user,CN=Users,DC=rcdevs,DC=com", "2018-09-07 11:34:11", "3", "0", "TOTP", "39DEE717-500D-4B31-BF90-A845FC7D81A7", "iPhone10,5", "Never", "None", "None", "None", "Never", "None", "None", "None", "Never", "None", "None", "None", "None", "None", "No"
"rcdevs", "CN=administrator,OU=localuser,DC=rcdevs,DC=com", "2018-10-09 15:14:30", "11", "12", "TOTP", "39DEE717-500D-4B31-BF90-A845FC7D81A7", "iPhone10,5", "Never", "None", "None", "None", "Never", "None", "None", "None", "Never", "None", "None", "None", "None", "None", "No"

# Generated OpenOTP report for 21 LDAP users in 0 seconds.

6. safenet2inv

This script allows you to convert SafeNet Token seeds into a WebADM format to use SafeNet Token with OpenOTP.

[root@webadm bin]# ./safenet2inv 
WebADM Inventory converter for SafeNet files
Usage: safenet2inv <safenet-file> <inventory-file> <token-type>
Token type can be TOTP or HOTP

7. status

This script can be executed to know the OpenOTP server status and connector status.

[root@webadm bin]# ./status 
Server Status: 1
Server: MFA Authentication Server 1.4.1-2 (WebADM 1.6.8)
System: Linux 3.10.0-862.11.6.el7.x86_64 x86_64 (64 bit)
Listener: 127.0.0.1:8080 (HTTP/1.1 SSL)
Uptime: 35 (0 days)
Memory: 550.84K
Total Requests: 0
Active Requests: 0
Connectors: OK (4 alive & 0 down)