The deliver-one-time-password Command-Line Tool

Generate and deliver a one-time password to a user through some out-of-band mechanism. That password can then be used to authenticate via the UNBOUNDID-DELIVERED-OTP SASL mechanism.

Usage

deliver-one-time-password {arguments}

LDAP Connection Arguments

• -h {host} / --hostname {host} — The IP address or resolvable name to use to connect to the directory server. If this is not provided, then a default value of 'localhost' will be used.
  
  
• -p {port} / --port {port} — The port to use to connect to the directory server. If this is not provided, then a default value of 389 will be used.
  The specified value must not be less than 1 or greater than 65,535.
  
  
• -Z / --useSSL — Use SSL when communicating with the directory server.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• -q / --useStartTLS — Use StartTLS when communicating with the directory server.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --defaultTrust — Use the JVM's default trust store, and optionally an additional trust store specified using the --trustStorePath argument, to non-interactively determine whether to trust any certificate chain presented during TLS negotiation. If the chain cannot be trusted based on any of those sources, then negotiation will fail without prompting about whether to trust it.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• -X / --trustAll — Trust any certificate presented by the directory server.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• -K {path} / --keyStorePath {path} — The path to the file to use as the key store for obtaining client certificates when communicating securely with the directory server.
  
  
• -W {password} / --keyStorePassword {password} — The password to use to access the key store contents.
  
  
• -u {path} / --keyStorePasswordFile {path} — The path to the file containing the password to use to access the key store contents.
  The specified path must refer to a file that may or may not exist.
  
  
• --promptForKeyStorePassword — Indicates that the tool should interactively prompt the user for the password to use to access the key store contents.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --keyStoreFormat {format} — The format (e.g., JKS, PKCS12, PKCS11, BCFKS, etc.) for the key store file.
  
  
• -P {path} / --trustStorePath {path} — The path to the file to use as trust store when determining whether to trust a certificate presented by the directory server.
  
  
• -T {password} / --trustStorePassword {password} — The password to use to access the trust store contents.
  
  
• -U {path} / --trustStorePasswordFile {path} — The path to the file containing the password to use to access the trust store contents.
  The specified path must refer to a file that may or may not exist.
  
  
• --promptForTrustStorePassword — Indicates that the tool should interactively prompt the user for the password to use to access the trust store contents.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --trustStoreFormat {format} — The format (e.g., JKS, PKCS12, PKCS11, BCFKS, etc.) for the trust store file.
  
  
• --verifyCertificateHostnames — Indicates that the tool should verify that the hostname or IP addressed used to establish connections ot the LDAP server matches an address for which the server's TLS certificate was issued.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• -N {nickname} / --certNickname {nickname} — The nickname (alias) of the client certificate in the key store to present to the directory server for SSL client authentication.
  
  
• --enableSSLDebugging — Enable Java's low-level support for debugging SSL/TLS communication. This is equivalent to setting the 'javax.net.debug' property to 'all'.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  

Identification and Authentication Arguments

• -D {dn} / --bindDN {dn} — The DN for the user to whom the one-time password should be delivered. Either the bind DN or username must be provided.
  A provided value must be able to be parsed as an LDAP distinguished name as described in RFC 4514.
  
  
• -n {username} / --userName {username} — The username for the user to whom the one-time password should be delivered. Either the bind DN or username must be provided.
  
  
• -w {password} / --bindPassword {password} — The static password for the user to whom the one-time password should be delivered.
  
  
• -j {path} / --bindPasswordFile {path} — The path to a file containing the static password for the user to whom the one-time password should be delivered.
  The specified path must refer to a file that exists.
  
  
• --promptForBindPassword — Indicates that the tool should interactively prompt the user for the bind password.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  

Delivery Mechanism Arguments

• -m {name} / --deliveryMechanism {name} — The name of the mechanism that should be used to deliver the one-time password to the user. If multiple values are specified (using multiple instances of this argument) then they will be tried in the order in which they are given until one of them is able to deliver the one-time password. If this is not specified, then the server configuration will dictate which delivery mechanisms should be attempted.
  
  
• -s {subject} / --messageSubject {subject} — The subject to use for the message containing the one-time password. This will be ignored for delivery mechanisms that do not require a subject.
  
  
• -f {text} / --fullTextBeforeOTP {text} — The text to include immediately before the one-time password in the message delivered to the end user via a mechanism that does not impose a significant constraint on message size.
  
  
• -F {text} / --fullTextAfterOTP {text} — The text to include immediately after the one-time password in the message delivered to the end user via a mechanism that does not impose a significant constraint on message size.
  
  
• -c {text} / --compactTextBeforeOTP {text} — The text to include immediately before the one-time password in the message delivered to the end user via a mechanism that imposes a significant constraint on message size.
  
  
• -C {text} / --compactTextAfterOTP {text} — The text to include immediately after the one-time password in the message delivered to the end user via a mechanism that imposes a significant constraint on message size.
  
  

Additional Arguments

• --interactive — Launch the tool in interactive mode.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --outputFile {path} — Write all standard output and standard error messages to the specified file instead of to the console.
  The specified path must refer to a file which may or may not exist, but whose parent directory must exist.
  
  
• --appendToOutputFile — Indicates that the tool should append to the file specified by the --outputFile argument if it already exists. If this argument is not provided and the output file already exists, it will be overwritten.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --teeOutput — Write all standard output and standard error messages to the console as well as to the specified output file. The --outputFile argument must also be provided.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• -H / --help — Display usage information for this program.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --help-debug — Display usage information for debug logging.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --enable-debug-logging — Enables debug logging for the tool.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --debug-log-level {level} — The debug log level to use for the tool. Allowed values include 'off', 'severe', 'warning', 'info', 'fine', 'finer', and 'finest'. If this is not specified, a default level of 'severe' will be used.
  
  
• --debug-log-category {category} — The message categories to include in the debug log output. Allowed values include 'asn1', 'connect', 'exception', 'ldap', 'connectionpool', 'ldif', 'monitor', 'codingerror', and 'other'. This argument may be provided multiple times to indicate that multiple categories should be included. If this is not specified, then all categories will be included.
  
  
• --include-debug-stack-traces — Indicates that debug log messages should include a stack trace with the code location from which each debug message originated.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --use-multi-line-debug-messages — Indicates that debug log messages (which will be JSON objects) should be written as multi-line strings rather than single-line strings.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --debug-log-file {path} — The path to the debug log file to be written. If this is not specified, a default path of 'deliver-one-time-password.debug' will be used.
  The specified path must refer to a file which may or may not exist, but whose parent directory must exist.
  
  
• -V / --version — Display version information for this program.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --propertiesFilePath {path} — The path to a properties file used to specify default values for arguments not supplied on the command line.
  The specified path must refer to a file that exists.
  
  
• --generatePropertiesFile {path} — Write an empty properties file that may be used to specify default values for arguments.
  The specified path must refer to a file which may or may not exist, but whose parent directory must exist.
  
  
• --noPropertiesFile — Do not obtain any argument values from a properties file.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --suppressPropertiesFileComment — Suppress output listing the arguments obtained from a properties file.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  

Required Argument Sets

• At least one of the following arguments must be provided: --bindDN, --userName

Dependent Argument Sets

• If the --keyStorePassword argument is provided, then the --keyStorePath argument must also be provided.
• If the --keyStorePasswordFile argument is provided, then the --keyStorePath argument must also be provided.
• If the --promptForKeyStorePassword argument is provided, then the --keyStorePath argument must also be provided.
• If the --trustStorePassword argument is provided, then the --trustStorePath argument must also be provided.
• If the --trustStorePasswordFile argument is provided, then the --trustStorePath argument must also be provided.
• If the --promptForTrustStorePassword argument is provided, then the --trustStorePath argument must also be provided.
• If the --keyStorePath argument is provided, then at least one of the following arguments must also be provided: --useSSL, --useStartTLS
• If the --trustStorePath argument is provided, then at least one of the following arguments must also be provided: --useSSL, --useStartTLS
• If the --defaultTrust argument is provided, then at least one of the following arguments must also be provided: --useSSL, --useStartTLS
• If the --trustAll argument is provided, then at least one of the following arguments must also be provided: --useSSL, --useStartTLS
• If the --appendToOutputFile argument is provided, then the --outputFile argument must also be provided.
• If the --teeOutput argument is provided, then the --outputFile argument must also be provided.

Exclusive Argument Sets

• The following arguments cannot be used together: --useSSL, --useStartTLS
• The following arguments cannot be used together: --keyStorePassword, --keyStorePasswordFile, --promptForKeyStorePassword
• The following arguments cannot be used together: --trustStorePassword, --trustStorePasswordFile, --promptForTrustStorePassword
• The following arguments cannot be used together: --defaultTrust, --trustAll
• The following arguments cannot be used together: --trustAll, --trustStorePath
• The following arguments cannot be used together: --bindDN, --userName
• The following arguments cannot be used together: --bindPassword, --bindPasswordFile, --promptForBindPassword
• The following arguments cannot be used together: --propertiesFilePath, --noPropertiesFile

Examples

• Generate and deliver a one-time password to the user with DN 'uid=test.user,ou=People,dc=example,dc=com' via the default mechanisms configured in the server.

    deliver-one-time-password --hostname server.example.com --port 389 \
         --bindDN uid=test.user,ou=People,dc=example,dc=com \
         --bindPassword password --messageSubject "Your one-time password" \
         --fullTextBeforeOTP "Your one-time password is '" \
         --fullTextAfterOTP "'." --compactTextBeforeOTP "Your OTP is '" \
         --compactTextAfterOTP "'."

• Generate and deliver a one-time password to the user with username 'test.user' via SMS if possible, or e-mail as a second choice.

    deliver-one-time-password --hostname server.example.com --port 389 \
         --userName test.user --bindPassword password \
         --deliveryMechanism SMS --deliveryMechanism E-Mail \
         --messageSubject "Your one-time password" \
         --fullTextBeforeOTP "Your one-time password is '" \
         --fullTextAfterOTP "'." --compactTextBeforeOTP "Your OTP is '" \
         --compactTextAfterOTP "'."