Documents in Installation & Configuration

RCDevs LDAP Directory

Installation of RCDevs Directory Server System requirements: RCDevs Directory Server (DS) runs on Linux with GLIBC ≥ 2.5. The package contains the required dependencies allowing DS to run on any Linux system without other requirements. 1. Install DS 1.1 Using the Repository 1.1.1 CentOS/RHEL On a RedHat, CentOS or Fedora system, you can use our repository, which simplifies updates. Add the repository: [root@ldap ~]# yum install https://repos.rcdevs.com/redhat/base/rcdevs_release-1.1.1-1.noarch.rpm Clean yum cache:

WebADM Publishing Proxy

1. Product Overview WAProxy is an HTTP(S) reverse proxy for WebADM. While any reverse proxy should be able to fill the role, this one has been already configured by RCDevs to work securely and use all the features WebADM provides to reverse proxies. WAProxy handles basic load balancing, failover, and both server and client certificates with the least possible amount of configuration effort. Without a WAProxy reverse proxy, WebADM end-user web applications must be accessible from anywhere its users could be: if you use OpenOTP Push Login or TiQR, a user’s phone must be able to access the mobile communication endpoints on your WebADM installation from the internet.

WebADM Installation Guide (Standalone and High Availability setup)

Product Documentation This document is an installation guide for WebADM Server in standalone and high availability mode. WebADM server is the main component to install and deploy OpenOTP in your environment. WebADM usage manual is not covered by this guide and is documented in the RCDevs WebADM Administrator Guide. Product Overview WebADM is a powerful Web-based LDAP administration software designed for professionals to manage LDAP Organization resources such as Domain Users and Groups.

Docker deployment

1. Overview This guide intends to explain how to install and configure WebADM in docker containers. The following items will be covered: Slapd MariaDB WebADM WAProxy 2. Before you start All steps were tested in CentOS 7/CentOS 8 and docker version 19. But it should work in any system running a modern version of docker. In this guide, I assume you already have a working docker installation. In case you need help to setup a docker environment, you can check the docker website documentation.

Helpdesk Installation and Configuration

1. Overview The purpose of this web application is to provide an easy-to-use interface for the most common “tier 1” support task, typically performed by a Help-Desk function in a company IT organization. This Web application is designed for internal (corporate) use and includes several self-management features like: Activate users for OpenOTP use View and manage account information such as email, mobile phone numbers, etc… Reset LDAP password Send password reset or token registration links Enroll, re-synchronize and test a Software / Hardware Token or Yubikey Manage user certificates Manage SSH keys (SpanKey) Administration HelpDesk web application must be installed on your WebADM server(s) and can be accessed through WAProxy or another reverse proxy configured with WebADM.

Push Mechanisms

1. Background This document describes how to set up Push Login infrastructure, using WebADM, OpenOTP Push Server and optionally WAProxy. OpenOTP is the RCDevs MFA Service running on top of the RCDevs WebADM platform. OpenOTP itself is composed of several server applications and components that provide secure and reliable authentication of users connecting to applications, online services, intranet, extranet just to name a few. OpenOTP relies on proven technologies and open standards, such as OATH (the initiative for open authentication), HOTP / TOTP / OCRA, Radius, LDAP.

Helpdesk Administration and Usage

1. Overview The purpose of this web application is to provide an easy-to-use interface for the most common “tier 1” support task, typically performed by a Help-Desk function in a company IT organization. This Web application is designed for internal (corporate) use and includes several self-management features like: Activate users for OpenOTP use View and manage account information such as email, mobile phone numbers, etc… Reset LDAP password Send password reset or token registration links Enroll, re-synchronize and test a Software / Hardware Token or Yubikey Manage user certificates Manage SSH keys (SpanKey) Administration Help Desk web application must be installed on your WebADM server(s) and can be accessed through WAProxy or another reverse proxy configured with WebADM.

Proxy User Permissions on AD

How to configure proxy_user rights for Active Directory There are two things to be considered in order to implement fine-grained LDAP permission for WebADM and its applications. WebADM Proxy user permissions: This system user is used by WebADM to access and manipulate the required LDAP resources without an administrator login, for example, to increase the false authentication counter, register token metadata on the user account… Administrator users permissions: These accounts login to the Admin portal in order to manage LDAP resources and registered applications.

Super Admins Permissions on AD

How To configure super_admin rights for Active Directory There are two things to be considered in order to implement fine-grained LDAP permissions for WebADM and its applications. WebADM Proxy user permissions: This system user is used by WebADM to access and manipulate the required LDAP resources without an administrator login, for example, to increase the false authentication counter. Administrator users permissions: These accounts login to the Admin portal in order to manage LDAP resources and registered applications.

Active Directory Read-Only mode

How To Configure WebADM with a Read-Only Active Directory Important Note An entreprise license is mandatory for that setup since WebADM 1.6.6 In some circumstances, we can not write in the LDAP backend. In that case, we need to store some configurations in a local LDAP database and users extra information in a SQL database. In this example, we will start with a WebADM server running with a local MariaDB and RCDevs Directory Server.

RCDevs VPN Server (MFAVPN)

1. Overview This document is an installation guide for the MFA VPN provided by RCDevs. Hence, the installation or configuration of WebADM, including token registration is not covered in this guide. For installation and usage guides of WebADM and OpenOTP, please refer to the RCDevs WebADM Installation Guide and the RCDevs WebADM Administrator Guide available through the RCDevs online documentation Website. 2. Installation of MFA VPN On a RedHat, CentOS or Fedora system, you can use our repository, which simplifies updates.

Network Time Protocol

Overview WebADM requires an accurate system clock and timezone. Your Linux server should be configured with NTP time synchronization. This guide will show how to install and configure the NTP server. Network Time Protocol traffic runs over port 123 UDP. At RCDevs Hardening Guide are firewall rules examples. The RCDevs Virtual Appliance uses chrony instead of ntp. Check Installed Packages CentOS 7, 8, Stream Please, verify if NTP or Chrony packages are already installed.

Syslog and WebADM

1. Overview This HowTo describes how to configure WebADM to send logs to the local syslog and optionnaly after to a remote syslog (rsyslog) server. Procedure may changes according to the operating system, this configuration has been tested with CentOS Stream and RHEL OS. Please, refer to Rsyslog documentation for more information. 2. Configuration 2.1 WebADM configuration On WebADM side, you need to edit the following configuration file : /opt/webadm/conf/webadm.conf Then you have to configure/enable the following settings:

Radius Bridge Server

1. Product Documentation This document is a configuration guide for OpenOTP Radius Bridge (RB). The reader should notice that this document is not a guide for installing and configuring OpenOTP or WebADM. Specific application guides are available through the RCDevs documentation website. 2. Product Overview OpenOTP Radius Bridge provides the RADIUS RFC-2865 (Remote Authentication Dial-in User Service) API for OpenOTP Authentication Server. Standalone, the OpenOTP server provides SOAP/XML and JSON interfaces over HTTP and HTTPS.

LDAP Bridge Server

1. Product Overview The main use-case of OpenOTP LDAP Bridge is enabling enterprise applications that use LDAP as an external authentication mechanism to work with OpenOTP. LDAP Bridge allows authentication to be delegated to an OpenOTP server transparently, without changing the LDAP back-end. From the client applications perspective, the main change is that it will use the LDAP Bridge as an LDAP server, instead of the backend-end LDAP server.