Installation of RCDevs Directory Server System requirements: RCDevs Directory Server (DS) runs on Linux with GLIBC ≥ 2.5. The package contains the required dependencies allowing DS to run on any Linux system without other requirements. 1. Install DS 1.1 Using the Repository 1.1.1 CentOS/RHEL On a RedHat, CentOS or Fedora system, you can use our repository, which simplifies updates. Add the repository: [root@ldap ~]# yum install https://repos.rcdevs.com/redhat/base/rcdevs_release-1.1.1-1.noarch.rpm Clean yum cache:

1. Overview This guide intends to explain how to install and configure WebADM in docker containers. The following items will be covered: Slapd MariaDB WebADM WAProxy 2. Before you start All steps were tested in CentOS 7/CentOS 8 and docker version 19. But it should work in any system running a modern version of docker. In this guide, I assume you already have a working docker installation. In case you need help to set up a docker environment, you can check the docker website documentation.

Product Documentation This document is an installation guide for WebADM Server in standalone and high availability mode. WebADM server is the main component to install and deploy OpenOTP in your environment. WebADM usage manual is not covered by this guide and is documented in the RCDevs WebADM Administrator Guide. Product Overview WebADM is a powerful Web-based LDAP administration software designed for professionals to manage LDAP Organization resources such as Domain Users and Groups.

1. Background This document describes how to set up Push Login infrastructure, using WebADM, OpenOTP Push Server and optionally WAProxy. OpenOTP is the RCDevs MFA Service running on top of the RCDevs WebADM platform. OpenOTP itself is composed of several server applications and components that provide secure and reliable authentication of users connecting to applications, online services, intranet, extranet just to name a few. OpenOTP relies on proven technologies and open standards, such as OATH (the initiative for open authentication), HOTP / TOTP / OCRA, Radius, LDAP.

How to configure proxy_user rights for Active Directory There are two things to be considered in order to implement fine-grained LDAP permission for WebADM and its applications. WebADM Proxy user permissions: This system user is used by WebADM to access and manipulate the required LDAP resources without an administrator login, for example, to increase the false authentication counter, register token metadata on the user account… Administrator users permissions: These accounts login to the Admin portal in order to manage LDAP resources and registered applications.

How To configure super_admin rights for Active Directory There are two things to be considered in order to implement fine-grained LDAP permissions for WebADM and its applications. WebADM Proxy user permissions: This system user is used by WebADM to access and manipulate the required LDAP resources without an administrator login, for example, to increase the false authentication counter. Administrator users permissions: These accounts login to the Admin portal in order to manage LDAP resources and registered applications.

How To Configure WebADM with a Read-Only Active Directory Important Note That setup require an enterprise license which can only be issued by RCDevs team. Self-generated Freeware/Trial licenses are not supported. Regular enterprise license bought through the RCDevs web store are not supported. In some circumstances, we can not write in the LDAP backend. In that case, we need to store some configurations in a local LDAP database and users extra information in a SQL database.

Overview WebADM requires an accurate system clock and timezone. Your Linux server should be configured with NTP time synchronization. This guide will show how to install and configure the NTP server. Network Time Protocol traffic runs over port 123 UDP. At RCDevs Hardening Guide are firewall rules examples. The RCDevs Virtual Appliance uses chrony instead of ntp. Check Installed Packages CentOS 7, 8, Stream Please, verify if NTP or Chrony packages are already installed.

1. Product Documentation This document is a configuration guide for OpenOTP Radius Bridge (RB). The reader should notice that this document is not a guide for installing and configuring OpenOTP or WebADM. Specific application guides are available through the RCDevs documentation website. 2. Product Overview OpenOTP Radius Bridge provides the RADIUS RFC-2865 (Remote Authentication Dial-in User Service) API for OpenOTP Authentication Server. Standalone, the OpenOTP server provides SOAP/XML and JSON interfaces over HTTP and HTTPS.

1. Product Overview The main use-case of OpenOTP LDAP Bridge is enabling enterprise applications that use LDAP as an external authentication mechanism to work with OpenOTP. LDAP Bridge allows authentication to be delegated to an OpenOTP server transparently, without changing the LDAP back-end. From the client applications perspective, the main change is that it will use the LDAP Bridge as an LDAP server, instead of the backend-end LDAP server.

1. Overview This HowTo describes how to configure Rsignd service (PKI service) of WebADM on a PKCS11 cryptographic hardware security module (HSM). The objective is to involve the HSM for all CA signing operations and to increase the protection of the private key. This configuration is probably the most secure setup for a PKI service because the logical and physical access to the HSM is limited to one or few persons in a company.

1. Overview This HowTo describes how to configure WebADM to send logs to the local syslog and optionally after to a remote syslog (rsyslog) server. Procedure may change according to the operating system, this configuration has been tested with CentOS Stream and RHEL OS. Please, refer to Rsyslog documentation for more information. 2. Configuration 2.1 WebADM configuration On WebADM side, you need to edit the following configuration file : /opt/webadm/conf/webadm.conf Then you have to configure/enable the following settings:

1. Overview This document is an installation guide for the MFA VPN provided by RCDevs. Hence, the installation or configuration of WebADM, including token registration is not covered in this guide. For installation and usage guides of WebADM and OpenOTP, please refer to the RCDevs WebADM Installation Guide and the RCDevs WebADM Administrator Guide available through the RCDevs online documentation Website. 2. Installation of MFA VPN On a RedHat, CentOS or Fedora system, you can use our repository, which simplifies updates.

1. Overview The purpose of this web application is to provide an easy-to-use interface for the most common “tier 1” support task, typically performed by a Help-Desk function in a company IT organization. This Web application is designed for internal (corporate) use and includes several self-management features like: Activate users for OpenOTP use View and manage account information such as email, mobile phone numbers, etc… Reset LDAP password Send password reset or token registration links Enroll, re-synchronize and test a Software / Hardware Token or Yubikey Manage user certificates Manage SSH keys (SpanKey) Administration HelpDesk web application must be installed on your WebADM server(s) and can be accessed through WAProxy or another reverse proxy configured with WebADM.

1. Overview The purpose of this web application is to provide an easy-to-use interface for the most common “tier 1” support task, typically performed by a Help-Desk function in a company IT organization. This Web application is designed for internal (corporate) use and includes several self-management features like: Activate users for OpenOTP use View and manage account information such as email, mobile phone numbers, etc… Reset LDAP password Send password reset or token registration links Enroll, re-synchronize and test a Software / Hardware Token or Yubikey Manage user certificates Manage SSH keys (SpanKey) Administration Help Desk web application must be installed on your WebADM server(s) and can be accessed through WAProxy or another reverse proxy configured with WebADM.

1. Introduction The Quick-Sign Milter works in addition with a mail server; this software catches mails before they reach the standard mail server. The milter processes the mails if they correspond to a signature/seal request otherwise, these mails follow the standard process. The quicksign-milter package must be installed and configured on a postfix server. WebADM/OpenOTP infrastructure must be already deployed and integrated with your LDAP backend. Your OpenOTP license must also support Sign option.

1. Introduction The Quick-Sign Portal is very easy to install and configure; it can be integrated in an existing environment. It is a web PHP application which interacts with a mail server to permit users to send and sign documents. We recommend to install it on a dedicated machine and not on your WebADM/OpenOTP servers. This Quick-Sign portal is using the quicksign-milter, you must first configure the Quick-Sign Milter before deploying the Quick-Sign portal.

1. Product Overview WAProxy is an HTTP(S) reverse proxy for WebADM. While any reverse proxy should be able to fill the role, this one has been already configured by RCDevs to work securely and use all the features WebADM provides to reverse proxies. WAProxy handles basic load balancing, failover, and both server and client certificates with the least possible amount of configuration effort. Without a WAProxy reverse proxy, WebADM end-user web applications must be accessible from anywhere its users could be: if you use OpenOTP Push Login, a user’s phone must be able to access the mobile communication endpoints on your WebADM installation from the internet.