The utility mfa-server-cli can be used to configure MFA server.
mfa-server-cli command [options]
mfa-server-cli --help
mfa-server-cli service-config
mfa-server-cli mfa-server [--port=<MFA server port> | --clientCertCAPath=<CA certificate path> | --enforceClientAuth=<true/false> | --mfaValidity=<Validity of MFA in minutes> | --groupBasedAllowlist=<true/false>]
mfa-server-cli auth-server [--authSrvHost=<AA server address> --endPointID=<id> --endPointSecret=<secret>]
mfa-server-cli policy-config [--event=<AA event name> | --eDirRepo=<eDirectory repository in AA server>]
mfa-server-cli mfa-manage [--printAllMfaSessions=yes | --deleteAllMfaSessions=yes | --allowlistType=<user/usergroup/address/range/subnet> | --addToAllowlist=<allowlist entry value> | --removeFromAllowlist=<allowlist entry value> | --printAllowlist=yes]
mfa-server-cli logging [--logLevel=<error/warn/info/debug> | --logFilePath=<path> | --logTimeStampFormat=<format>]
mfa-server-cli service-cleanup
mfa-server-cli service-reconfig
mfa-server-cli print-config
Service configuration requires eDirectory tree administrator credentials. Confirm the host name to be used for the MFA server; it should match the DNS name in Apache server's default virtual host SSL certificate. Successful service configuration initializes the database and brings up the MFA server.
The MFA server can use any port in range of 1024 to 65535. By default, MFA server uses port 3456. If the specified port number is not available, the MFA server uses the next available port.
Path of CA certificate file used by MFA server to validate the client certificate of MFA agent. By default, this path is configured to use the eDirectory CA certificate.
If set to true, the validation of the client certificate presented by the MFA agent is enforced. By default, this value is true.
The period during which multifactor authentication (MFA) is valid for users. If the validity expires, the user is required to complete the second factor of authentication during their next login.
If set to true, eDirectory group or Active Directory group can be added to the allowlist. By default, this option is false.
IP address or host name of the AA server.
ID of endpoint created in AA server.
Secret of the AA endpoint.
Name of the event created in AA server.
Name of the eDirectory repository in the AA server, which is used for multifactor authentication of the eDirectory users. If the repository name is not configured, the AA server searches for the user in every available repository. For Active Directory (AD) users, the repository name is automatically detected by CIFS, and no additional configuration is required.
Lists all valid MFA sessions. Expired sessions are not listed.
Deletes all the MFA sessions.
Specifies the type of entry to be added or removed from the allowlist. Use the --allowlistType with --addToAllowlist or --removeFromAllowlist options.
NOTE:Use LDAP format for eDirectory users or groups and SAM account Type format for Active Directory users or groups.
The following are the various allowlist entry types:
eDirectory user in LDAP format (example: cn=alen,o=myorg) or AD user in the format <netbios_name_of_domain\\username> (example: corpdom\\alex).
eDirectory group in LDAP format (example: cn=salesteam,o=myorg) or AD user in the format <netbios_name_of_domain\\groupname> (example: corpdom\\salesteam).
IP address of CIFS client workstation (example: 168.10.100.25).
Range of IP address of CIFS client workstations (example: 168.10.100.1-168.10.100.100).
Subnet of CIFS client workstations (example: 168.10.100.0/24).
Adds entry to the allowlist. Use this option with the --allowlistType. Entry can be eDirectory user, AD user, eDirectory group, AD group, workstation IP address, workstation IP address range, or workstation subnet depending on the --allowlistType specified.
Removes entry from the allowlist. Use this option with the --allowlistType. Entry can be eDirectory user, AD user, eDirectory group, AD group, workstation IP address, workstation IP address range or workstation subnet depending on the --allowlistType specified.
Prints the allowlist.
Configures the log level. Default log level is info.
Log file path of the MFA server. By default, the log file path is /var/opt/novell/log/oes/mfaserver/mfaserver-<date>.log.
Log message time stamp format. By default, the time format is YYYY-MM-DD HH:mm:ss.
Reverts the service configuration and stops the MFA server.
Reconfigure the MFA server after a service cleanup. eDirectory administrator credentials are not required while reconfiguring an MFA server. Confirm the hostname for the MFA server.
Prints the configuration parameters of the MFA server.
Prints the MFA server configuration.
Initializes the database and brings up the MFA server.
Adds the AA server details for the MFA server.
Adds the AA configuration details for the MFA server.
Reverts the service configuration and stops the MFA server.
Adds an eDirectory user to the allowlist.
Adds an Active Directory group to the allowlist.
Adds the IP address of CIFS client workstation to the allowlist.
Removes a subnet of CIFS client workstations from the allowlist.
Removes an IP address range of CIFS client workstations from the allowlist.