Overview
The Manager interface provides access to WebADM management functions and to operations exported by your registered applications. It enables external systems (for example, web portals or automation tools) to remotely trigger user-management operations and application actions over the network.
What the Manager API exposes
-
LDAP management functions for directory administration, including LDAP object creation, update, and removal.
Internal methods follow the format:Manager_Method. You can also manipulate objects of remote/cloud directories supported by the WebADM framework like Entra ID, Google Workspace... -
Application-exported operations that map to application actions available in the WebADM Admin Portal.
Application methods follow the format:Application.Manager_Method.
Protocol
The Manager interface uses JSON-RPC 2.0 over HTTPS.
Specification: JSON-RPC 2.0 Specification
Where to find the method catalog
A complete list of supported methods and parameters is available in the Admin Portal:
WebADM Admin GUI→Admintab →Remote Manager Interface
From that page, you can navigate between applications to view application-specific exported methods.
Authentication, access control, and allowed clients
The Manager API requires authentication using a WebADM administrator account.
Authentication is configured in /opt/webadm/conf/webadm.conf and supports DN, UID, and PKI modes via manager_auth.
If admin_auth is configured with multi-factor authentication (PKI, OTP, U2F or MFA), then you must use either:
manager_auth PKI, ormanager_auth UIDwith a restricted list of allowed client IPs usingmanager_clients.
Authentication behavior by mode:
- DN: provide the administrator DN and password in the HTTP Basic Authorization header.
- UID: provide the administrator user ID and password in the HTTP Basic Authorization header.
- PKI: use the administrator client certificate for the TLS connection and provide the administrator password in the HTTP Basic Authorization header.
Example configuration:
manager_auth UID
manager_clients "192.168.4.253","192.168.3.205","127.0.0.1","192.168.4.191"
Note: ensure entries in
manager_clientsare valid hostnames/IPs for your deployment.
Permissions enforcement
Any LDAP permissions and OptionSet restrictions configured in WebADM are enforced through the Manager interface. Administrators have the same effective access in the Manager interface as in the Admin Portal, subject to the allowed-client restrictions.
Who can access the Manager interface
By default, users or group members defined in super_admins in webadm.conf can access the Manager interface if the originating client IP is allowed.
You can also delegate access without granting full super-admin rights by using Administrator Roles:
WebADM Admin GUI→Admintab → create an Administrator role- Assign a user/group to the role
- Set Allowed Interface to Manager
- Define the permissions allowed through that role
Sessions
If manager_session in webadm.conf is greater than 0, WebADM creates an administrator session for processing requests.
- The Manager response returns a session cookie named
WEBADMMANAGin the HTTP response headers. - Reuse this cookie in subsequent requests to avoid creating new sessions.
- Sessions expire quickly and are automatically closed after 10 seconds of inactivity.
- To force session closure, include the header:
Connection: close.
Endpoint
The Manager interface is accessible at:
https://<webadm_fqdn_or_ip_address>/manag/
All Manager functions are listed and described in:
WebADM Admin GUI→Admintab →Remote Manager Interface
The examples that follow demonstrate how to call Manager methods using PHP with cURL to send JSON-RPC requests over HTTPS.
Examples (JSON-RPC with cURL and PHP)
All examples below assume:
- Manager endpoint:
https://webadm1.rcdevsdocs.com/manag/ - Admin DN (DN mode):
cn=administrator,cn=users,dc=rcdevsdocs,dc=com - WebADM domain:
rcdevsdocs
Conventions used in examples
- JSON-RPC request fields:
jsonrpc,method,params,id dnparameters should be full LDAP distinguished names.- Attribute values are typically arrays (even for single values), e.g.
mail: ["a@b.com"].
1) Resolve the DN of an existing user
cURL
curl -k \
--user "cn=administrator,cn=users,dc=rcdevsdocs,dc=com:password" \
--header "Content-Type: application/json" \
--data '{"method":"Get_User_DN","params":{"username":"john.doe","domain":"rcdevsdocs"},"id":0,"jsonrpc":"2.0"}' \
https://webadm1.rcdevsdocs.com/manag/
PHP (Basic Auth / DN mode)
<?php
$method = 'Get_User_DN';
$params = array(
'username' => 'john.doe',
'domain' => 'rcdevsdocs',
);
$request = array(
'jsonrpc' => '2.0',
'method' => $method,
'params' => $params,
'id' => 0
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://webadm1.rcdevsdocs.com/manag/");
curl_setopt($ch, CURLOPT_USERPWD, "cn=administrator,cn=users,dc=rcdevsdocs,dc=com:password");
curl_setopt($ch, CURLOPT_HTTPHEADER, array("Connection: close", "Content-Type: application/json"));
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($request));
$out = curl_exec($ch);
curl_close($ch);
print_r(json_decode($out));
?>
Example response:
{
"jsonrpc": "2.0",
"result": "cn=john.doe,cn=users,dc=rcdevsdocs,dc=com",
"id": 0
}
PHP (PKI authentication)
<?php
$method = 'Get_User_DN';
$params = array(
'username' => 'john.doe',
'domain' => 'rcdevsdocs',
);
$caFile = getcwd() . '/ca.crt';
$keyFile = getcwd() . '/administrator.key.pem';
$certFile = getcwd() . '/administrator.crt.pem';
$certPass = "certpassword";
$request = array(
'jsonrpc' => '2.0',
'method' => $method,
'params' => $params,
'id' => 0
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://webadm1.rcdevsdocs.com/manag/");
curl_setopt($ch, CURLOPT_SSLKEY, $keyFile);
curl_setopt($ch, CURLOPT_CAINFO, $caFile);
curl_setopt($ch, CURLOPT_SSLCERT, $certFile);
curl_setopt($ch, CURLOPT_SSLCERTPASSWD, $certPass);
/* In PKI mode, the TLS client cert authenticates the connection;
WebADM still expects the admin password via HTTP Basic Auth. */
curl_setopt($ch, CURLOPT_USERPWD, "cn=administrator,cn=users,dc=rcdevsdocs,dc=com:password");
curl_setopt($ch, CURLOPT_HTTPHEADER, array("Connection: close", "Content-Type: application/json"));
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($request));
$out = curl_exec($ch);
curl_close($ch);
print_r(json_decode($out));
?>
2) Search email addresses for LDAP users with the webadmAccount extension
$method = 'Search_LDAP_Objects';
$params = array(
'basedn' => 'dc=rcdevsdocs,dc=com',
'filter' => '(objectclass=webadmaccount)',
'attrs' => array('mail')
);
Example response structure:
{
"jsonrpc": "2.0",
"result": {
"cn=john doe,cn=users,dc=rcdevsdocs,dc=com": { "mail": ["john.doe@rcdevsdocs.com"] },
"cn=jane doe,cn=users,dc=rcdevsdocs,dc=com": { "mail": ["jane.doe@rcdevsdocs.com"] }
},
"id": 0
}
3) Set a user mobile number and email address
$method = 'Set_User_Attrs';
$params = array(
'dn' => 'cn=john doe,cn=users,dc=rcdevsdocs,dc=com',
'attrs' => array(
'mobile' => array('1234567890'),
'mail' => array('john.doe@rcdevsdocs.com')
),
);
Typical result:
{ "jsonrpc":"2.0", "result":1, "id":0 }
4) Get a user mobile number and email address
cURL
curl -k \
--user "cn=administrator,cn=users,dc=rcdevsdocs,dc=com:password" \
--header "Content-Type: application/json" \
--data '{"method":"Get_User_Attrs","params":{"dn":"cn=john doe,cn=users,dc=rcdevsdocs,dc=com","attrs":["mobile","mail"]},"id":0,"jsonrpc":"2.0"}' \
https://webadm1.rcdevsdocs.com/manag/
Example response:
{
"jsonrpc":"2.0",
"result":{
"mail":["john.doe@rcdevsdocs.com"],
"mobile":["1234567890"]
},
"id":0
}
PHP
$method = 'Get_User_Attrs';
$params = array(
'dn' => 'cn=john doe,cn=users,dc=rcdevsdocs,dc=com',
'attrs' => array('mobile', 'mail'),
);
5) Set application settings for a user
$method = 'Set_User_Settings';
$params = array(
'dn' => 'cn=john doe,cn=users,dc=rcdevsdocs,dc=com',
'settings' => array(
'OpenOTP.LoginMode' => 'LDAPOTP',
'OpenOTP.SecureMail' => false
),
);
6) Register an HOTP token with OpenOTP
$method = 'OpenOTP.HOTP_Register';
$params = array(
'dn' => 'cn=john doe,cn=users,dc=rcdevsdocs,dc=com',
'key' => base64_encode("12345678901234567890"),
'counter' => 0
);
7) Create a WebADM user (licensed user)
$method = 'Create_LDAP_Object';
$params = array(
'dn' => 'cn=john.doe,cn=users,dc=rcdevsdocs,dc=com',
'attrs' => array(
'objectclass' => array('person', 'inetorgperson', 'webadmaccount'),
'uid' => array('john.doe'),
'userpassword' => array('password'),
'sn' => array('John Doe')
)
);
8) Batch request: create an admin user and add them to a group
This sends two JSON-RPC calls in one HTTP request.
$req1 = array(
'jsonrpc' => "2.0",
'method' => 'Create_LDAP_Object',
'params' => array(
'dn' => 'cn=john doe,cn=users,dc=rcdevsdocs,dc=com',
'attrs' => array(
'objectclass' => array('person', 'inetorgperson'),
'samaccountname' => array('john.doe'),
'userprincipalname' => array('john.doe@rcdevsdocs.com'),
'userpassword' => array('JohnDoePassword123'),
'sn' => array('John Doe')
)
),
'id' => 1
);
$req2 = array(
'jsonrpc' => "2.0",
'method' => 'Set_User_Attrs',
'params' => array(
'dn' => 'cn=other_admins,dc=WebADM',
'attrs' => array('member' => array('cn=Domain Admins,cn=users,dc=rcdevsdocs,dc=com')),
'values' => true
),
'id' => 2
);
$request = array($req1, $req2);
9) Change a user password
$method = 'Set_User_Password';
$params = array(
'dn' => 'cn=john doe,cn=users,dc=rcdevsdocs,dc=com',
'password' => 'newpassword'
);
The provided password must comply with the password policy of the target directory..
10) Server status
$method = 'Server_Status';
$params = array(
'servers' => true,
'webapps' => true,
'websrvs' => true,
);
11) License status
curl -k \
--user "cn=administrator,cn=users,dc=rcdevsdocs,dc=com:password" \
--header "Content-Type: application/json" \
--data '{"method":"Get_License_Details","id":0,"jsonrpc":"2.0"}' \
https://webadm1.rcdevsdocs.com/manag/
12) Activated user count
$method = 'Count_Activated_Users';
$params = array();
Soft token registration with Push (OpenOTP)
13) Interactive registration (wait for the scan)
- Generate a new key:
$method = 'Get_Random_Bytes';
$params = array('length' => '20');
- Start a mobile session:
$method = 'OpenOTP.Mobile_Session';
$params = array('timeout' => '600');
- Get a registration URI:
$method = 'OpenOTP.TOTP_URI';
$params = array(
'name' => 'My token',
'key' => $key,
'userid' => 'john',
'domain' => 'rcdevsdocs',
'session' => $session
);
- Generate a QR code (TXT is convenient for terminals):
$method = 'Get_QRCode';
$params = array(
'uri' => $uri,
'format' => 'TXT',
'margin' => '4',
'size' => '1'
);
Display it:
print(base64_decode(json_decode($out, true)['result']));
- Poll until the app confirms the scan:
$method = 'OpenOTP.Mobile_Response';
$params = array('session' => $session);
When the result becomes 1, register the token:
$method = 'OpenOTP.TOTP_Register';
$params = array(
'dn' => 'cn=john doe,cn=users,dc=rcdevsdocs,dc=com',
'key' => $key,
'session' => $session
);
14) Detached registration (QR sent separately, no waiting)
Start a session with a PIN code (QR usable until session ends):
$method = 'OpenOTP.Mobile_Session';
$params = array(
'timeout' => '600',
'pincode' => '123456',
);
Register the token first (it will only be attached once the QR is scanned):
$method = 'OpenOTP.TOTP_Register';
$params = array(
'dn' => 'cn=john doe,cn=users,dc=rcdevsdocs,dc=com',
'key' => $key,
'session' => $session
);
Then generate the URI and QR code as shown above (use domain => 'rcdevsdocs').
Signing a CSR (Manager API)
The Manager API can sign a CSR via the WebADM PKI service and return a certificate.
Generate CSRs with OpenSSL
User certificate CSR example (user john.doe in domain rcdevsdocs):
openssl req -new -newkey rsa:2048 -nodes \
-keyout user.key \
-out user.csr \
-subj '/CN=John Doe/UID=john.doe/DC=rcdevsdocs/description=USER/SN=Doe/GN=John'
Admin certificate CSR example (distinguished by description=ADMIN):
openssl req -new -newkey rsa:2048 -nodes \
-keyout admin.key \
-out admin.csr \
-subj '/CN=cn=administrator,cn=users,dc=rcdevsdocs,dc=com/description=ADMIN/SN=administrator'
Submit CSR for signing
<?php
$method = 'Sign_certificate_Request';
$params = array(
'request' => file_get_contents("john.csr"),
);
$request = array(
'jsonrpc' => "2.0",
'method' => $method,
'params' => $params,
'id' => 1
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://webadm1.rcdevsdocs.com/manag/");
curl_setopt($ch, CURLOPT_USERPWD, "rcdevsdocs\\administrator:password");
curl_setopt($ch, CURLOPT_HTTPHEADER, array("Connection: close", "Content-Type: application/json"));
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($request));
$out = curl_exec($ch);
curl_close($ch);
print_r(json_decode($out));
?>
Register the signed certificate on a user
$cert = file_get_contents("user.crt");
$method = 'Set_User_Attrs';
$params = array(
'dn' => 'cn=john doe,cn=users,dc=rcdevsdocs,dc=com',
'attrs' => array(
'usercertificate' => array(preg_replace('/(-----.*-----)|\s/', '', $cert)),
),
'values' => true
);
Web Services API
Web services are available via SOAP and REST. Functions and attributes are the same across both interfaces.
SOAP API
WSDL endpoints (examples):
openotp(OpenOTP Authentication server):
https://webadm1.rcdevsdocs.com/websrvs/wsdl.php?websrv=openotpspankey(SSH Public Key server):
https://webadm1.rcdevsdocs.com/websrvs/wsdl.php?websrv=smshubsmshub(SMS Hub Gateway):
https://webadm1.rcdevsdocs.com/websrvs/wsdl.php?websrv=smshub
PHP example (SOAP)
<?php
$soap_client = new SoapClient("https://webadm1.rcdevsdocs.com/websrvs/wsdl.php?websrv=openotp");
$username = "john.doe";
$ldapPassword = "password";
$response = $soap_client->openotpNormalLogin($username, null, $ldapPassword);
print_r($response);
?>
If your PHP environment verifies SSL peers by default and the server certificate is not trusted by the client, you can disable verification:
<?php
$sctx = stream_context_create(array(
'ssl' => array('verify_peer' => false, 'verify_peer_name' => false)
));
$soap_client = new SoapClient(
"https://webadm1.rcdevsdocs.com:8443/openotp?wsdl",
array('stream_context' => $sctx)
);
$username = "john.doe";
$ldapPassword = "password";
$otp = "123456";
$response = $soap_client->openotpNormalLogin($username, null, $ldapPassword, $otp);
print_r($response);
?>
REST API
REST authentication endpoints support GET, POST, and POST-JSON.
If you want to require client certificates for REST, enable:
WebADM Applications→MFA Authentication server→CONFIGURE→Require Client Certificate
Then issue client certs in:WebADM→Admin→Issue Server or Client SSL Certificate
GET examples
wget "https://webadm1.rcdevsdocs.com:8443/openotp/json/openotpNormalLogin/?username=john.doe&ldapPassword=password"
wget "https://webadm1.rcdevsdocs.com:8443/openotp/json/?method=openotpNormalLogin&username=john.doe&ldapPassword=password"
With a client certificate:
wget --certificate=client.crt --no-check-certificate \
"https://webadm1.rcdevsdocs.com:8443/openotp/json/openotpNormalLogin/?username=john.doe&ldapPassword=password"
POST-JSON example
wget --post-data='{"username":"john.doe","ldapPassword":"foo"}' \
"https://webadm1.rcdevsdocs.com:8443/openotp/json/openotpNormalLogin/"
With a client certificate:
wget --certificate=client.crt --no-check-certificate \
--post-data='{"username":"john.doe","ldapPassword":"password"}' \
"https://webadm1.rcdevsdocs.com:8443/openotp/json/openotpNormalLogin/"