Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
documentation:latest:external2f [2019/02/16 22:44]
cmaudoux [External Second Factor]
documentation:latest:external2f [2019/05/09 16:41] (current)
Line 11: Line 11:
 All parameters are configured in "​General Parameters » Portal Parameters » Extensions » External 2nd Factor"​. All parameters are configured in "​General Parameters » Portal Parameters » Extensions » External 2nd Factor"​.
   * **Activation**   * **Activation**
-  * **Send command**: define your command using //​$attribute//​ like in rules. Example: ''/​usr/​local/​bin/​sendOtp --uid $uid''​ +  ​* **Code RegEx**: regular expression to create an OTP code. Let this option blank to delegate code Generation / Verification to an external provider 
-  * **Validation command**: you must also use //$code// which is the value entered by user; Example: ''/​usr/​local/​bin/​verify --uid $uid --code $code''​+  ​* **Send command**: define your command using //​$attribute//​ like in rules. Example: ''/​usr/​local/​bin/​sendOtp --uid $uid'' ​or ''/​usr/​local/​bin/​sendCode --uid $uid --code $code''​ if code is generated by the Portal 
 +  * **Validation command**: ​Required ONLY if you delegate code Generation / Verification to an external provider. You must also use //$code// which is the value entered by user; Example: ''/​usr/​local/​bin/​verify --uid $uid --code $code''​
   * **Authentication Level**: if you want to overwrite the value sent by your authentication module, you can define here the new authentication level. Example: 5   * **Authentication Level**: if you want to overwrite the value sent by your authentication module, you can define here the new authentication level. Example: 5
-  * Logo (Optional): logo file //(in static/<​skin>​ directory)//​+  ​* **Logo** (Optional): logo file //(in static/<​skin>​ directory)//​
  
 <note important>​The command line is split in an array and launched with exec(). So you don't need to enclose arguments in ""​ and this feature protects your system against shell injection. However, you can not use any space except to separate arguments.</​note>​ <note important>​The command line is split in an array and launched with exec(). So you don't need to enclose arguments in ""​ and this feature protects your system against shell injection. However, you can not use any space except to separate arguments.</​note>​
 +
 +=== SELinux note ===
 +
 +If your server is enforcing SELinux policies, make sure your external script has a label that is allowed to be executed by ''​httpd''​.
 +
 +For example, storing your script in ''/​usr/​local/​bin/''​ will give it a ''​bin_t''​ label that will work correctly.
 +
 +If your script has a ''​httpd_sys_script_exec_t''​ type, it will only be able to do external network requests if the SELinux boolean ''​httpd_can_network_connect''​ is enabled.
 +
 +If your script has any other label, it will probably not work at all.