Release notes
WHAT'S NEW IN THE RELEASES

Current build: 5.2.0.2 (2018-07-16)

# What's new in 5.2 releases
- Enhanced AD/LDAP support for huge Microsoft Active Directory
- Base DN and Users DN are now two different parameters (Users DN optional)

What's new in 5.1 releases
- Dockerfile available (5.1.1.2)
- Credential Provider registry entries are always used when calling multiOTP.exe (5.1.0.6)
- Expired AD/LDAP password support
- multiOTP Credential Provider (for Windows) improvements
 (user@domain.name UPN support, default domain name supported and displayed, SMS request link)
- Better unicode handling, multibyte fonctions used when needed (mb_strtolower(), ...)

What's new in 5.0 releases- Better FreeRADIUS 3.x documentation
- New QRCode provisioning format for mOTP (compatible with OTP Authenticator) (5.0.5.2)
- Important, under Linux, the config, devices, groups, tokens and users folders are now always
  located in /etc/multiotp/. Please be sure to make the move when you are upgrading (5.0.4.6)
- PostgreSQL support, based on source code provided by Frank van der Aa (5.0.4.5)
- Restore configuration added in Web GUI (5.0.4.5)
- New GetDelayedUsersList() method (5.0.3.6)
- SetUserTokenSeed() and SetTokenSeed() methods accept now also base32 and raw binary (5.0.3.6)
- Multiple groups per user is now supported (not all devices support multiple groups) (5.0.3.4)
- Using AD/LDAP password instead of PIN code can be overwritten or not for all synchronized users
- New windows executable build process, using PHP 7.x (5.0.3.4)
- It's now possible to do several commands at once with the CLI edition (5.0.3.4)
- The default TOTP/HOTP generator for Android/iOS is now FreeOTP Authenticator
- EXE files are now signed in SHA256 (5.0.3.4)
- New LDAP cache management to support huge AD/LDAP, with cache on disk (5.0.3.4)
- New PurgeLockFolder() and PurgeLdapCacheFolder() methods (5.0.3.4)
- If the user dialin IP address is defined, Framed-IP-Address and Framed-IP-Mask
  are delivered in the RADIUS answer (5.0.3.0)
- The user dialin IP address is synchronized from the Active Directory msRADIUSFramedIPAddress
  attribute (5.0.3.0)
- The first matching group defined in AD/LDAP group(s) filtering is now defined for the user
  (this group is returned as the Filter-Id (11) option in a successful RADIUS answer) (5.0.1.0)
- SOAP service available (compatible with OpenOTP SOAP service)
- It's now possible to select a specific LDAP/AD attribute used as the synchronised account name
  SetLdapSyncedUserAttribute(), GetLdapSyncedUserAttribute()
- Cached requests supported (cached during a specific amount of time, useful for WebDAV,
  device option cache_result_enabled)
- A try on the previous password is rejected, but the error counter is not incremented
- ForceNoDisplayLog() method added, in order to be able to disable log on display in server mode
- YubicoOTP private id check is now implemented
- SSL AD/LDAP also supported with Windows 2012 server
- SyncLdapUsers is now using a semaphore file in order to avoid concurrent process for large AD/LDAP sync
  (tested with 1'000 groups, 100'000 users, 1'000 users in the LDAP sync group)
- AD/LDAP additional log information
- Special chars support enhanced in LDAP class (as described in RFC4515)
- The default ldap_group_cn_identifier is now cn instead of sAMAccountName
- Enhanced SMS support for Clickatell, SSL is now also working
- Bug fix concerning QRcode generation for mOTP
- Weekly anonymized stats added (can be disabled)

What's new in 4.3.x releases
- Virtual Appliances are now available (VMware, Hyper-V, generic OVA) (4.3.2.5)
- Raspberry Pi edition has now a special proxy to speed up the command line (4.3.1)
- Generic LDAP support (in addition to Microsoft Active Directory support) (4.3.1)
- New AD/LDAP faster sync algorithm to support larger AD (4.3.0)
- If users are synced using AD/LDAP, it's now possible to use
  the AD/LDAP password instead of the PIN code (4.3.0)
- Yubico OTP support, including keys import using the log file in Traditional format (4.3.0)
- Resync during authentication (autoresync) is now better handled in the class directly
- QRCode generation for mOTP (compatible with Token2 App for iOS, Android and Windows Phone)

What's new in 4.2.x releases
- A new option -user-info is now available (4.2.4.1)
- Tokens CSV import (4.2.4.1)
- NT_KEY can be displayed for further handling by FreeRADIUS (4.2.4.1)
- Lot of new QA tests, more than 60 different tests (4.2.4)
- Better MySQL support with mysqli library support (4.2.4)
- If activated, prefix PIN is now also requested for SMS authentication (4.2.2)
- Web GUI is complete for a simple usage (4.2.2)
- Some values can now go back to TekRADIUS (4.2.2)
- AD/LDAP is now fully supported (4.2.1)
- MS-CHAP and MS-CHAPv2 authentication support

What's new in 4.1.x releases
- Syslog support
- Token resync doesn't need prefix PIN anymore
- Specific parameters order in QRCode for Microsoft Authenticator support
- The open source edition of multiOTP is OATH certified for HOTP and TOTP, which includes encrypted PSKC import support
- Instructions and files to build your own strong authentication server device on a Raspberry Pi nano-computer
- Self-registration of unattributed hardware tokens
- Automatic resync/unlock during authentication
- Default Linux file mode is now set by default to 0666 to avoid access problems
- Basic web GUI

What's new in 4.0.x releases
- Full client/server support with local cache
- CHAP authentication support
- Emergency scratch passwords list (providing a list of 10 emergency one-time-usage passwords)
- SMS code sending (with clickatell, aspsms, intellisms and custom exec support)
- integrated Google Authenticator support with integrated base 32 seed handling
- Conversion from hardware HOTP/TOTP tokens to software tokens
- QRcode generation for HOTP/TOTP automatic provisioning
- Integrated QRcode generator library (from Y. Swetake)
- Group attribute for any user (sent back through the Radius attribute Filter-Id)
- A lot of new options, also available in command line
- Options are stored in an external configuration file (or in the database)
- Full MySQL support, including tables creation
- Fully automatic build chain (invisible for you, but very nice for me)
- (Parts of the) comments have been reformatted and enhanced, but still some work to do...

What's new in 3.9.x releases
- Support for account with multiple users
- Some bug fixes

What's new in 3.2.x releases
- Google Authenticator support. Special information to handle the base 32 seed.
- Better MySQL backend integration (still in beta). Now it is possible to store all
  information in a MySQL backend instead of a flat file


CHANGE LOG OF RELEASED VERSIONS
2018-07-16 5.2.0.2 ENH: Enhanced AD/LDAP support for huge Microsoft Active Directory
ENH: Base DN and Users DN are now two different parameters (Users DN optional)
2018-03-20 5.1.1.2 FIX: typo in the source code of the command line option for ldap-pwd and prefix-pin
ENH: Dockerfile available
2018-03-05 5.1.0.8 FIX: Enigma Virtual Box updated to version 8.10 (to create the special all-in-one-file)
2018-02-27 5.1.0.7 FIX: [Receive an OTP by SMS] link is now fixed for Windows 10
2018-02-26 5.1.0.6 ENH: Credential Provider registry entries are now always used when calling multiOTP.exe
2018-02-21 5.1.0.5 FIX: To avoid virus false positive alert, multiOTP.exe is NO more packaged in one single file
using Enigma, a php folder is now included in the multiOTP folder
FIX: multiOTPOptions registry entry is now useless
2018-02-21 5.1.0.4 ENH: Credential Provider registry entries are used if available
2018-02-19 5.1.0.3 Expired AD/LDAP password support
multiOTP Credential Provider (for Windows) improvements
(user@domain.name UPN support, default domain name supported and displayed, SMS request link)
"force_no_prefix_pin" option for devices (for example if the device is a
computer with multiOTP credential Provider and AD/LDAP synced password)
Better unicode handling, multibyte fonctions used when needed (mb_strtolower(), ...)
2017-11-04 5.0.5.6 Better FreeRADIUS 3.x documentation
New radius tag prefix configuration option
New multiple groups device option
Some notice corrections (if the array element doesn't exist)
A user cannot be created with a leading backslash (fixed in FastCreateUser and CreateUserFromToken)
2017-09-29 5.0.5.2 The proposed mOTP generator for Android/iOS is now OTP Authenticator
New QRCode provisioning format for mOTP (compatible with OTP Authenticator)
2017-09-08 5.0.5.0 NirSoft nircmd.exe tool removed from the distribution (false virus detection)
Multiple URLs separator for client/server config is still ";", but [space] and "," are accepted
New developer mode for some specific detailed logs during development process only
2017-07-07 5.0.4.9 New methods: SetLdapTlsReqcert, GetLdapTlsReqcert, SetLdapTlsCipherSuite, GetLdapTlsCipherSuite
to change config parameters, instead of hard coded parameters (for SSL/TLS LDAP connection)
Fixed too much detailed information in the log when trying
to detect a token serial number for self-registration
2017-06-06 5.0.4.8 Fixed SSL/TLS LDAP failed connection for PHP 7.x (GnuTLS TLS1.2 restriction removed for PHP 7.x)
2017-06-02 5.0.4.6 Fixed a typo in the ReadCacheData method for PostgreSQL support (thanks Frank for the feedback)
Fixed default folder detection for the multiotp.exe file
Important, under Linux, the config, devices, groups, tokens and users folders are now always
located in /etc/multiotp/. Please be sure to make the move when you are upgrading
Cleaned some ugly PHP warnings when the backend is not initialized
2017-05-29 5.0.4.5 Restore configuration added in Web GUI
Fixed configuration file directory under Windows in Web GUI
Fixed path with spaces handling for the command line edition (thanks Scott for the feedback)
PostgreSQL support, based on source code provided by Frank van der Aa
2017-05-16 5.0.4.4 GetList() is now sorted with files backend
A replay during a defined delay (default 60 seconds) of the previous refused password is rejected,
but the error counter is not incremented (SetLastFailedWhiteDelay and GetLastFailedWhiteDelay)
A user cannot be created with a leading backslash
2017-02-23 5.0.3.7 Group names are now always trimed to avoid blank spaces
SetLinuxFolderMode() and GetLinuxFolderMode() methods added
2017-02-21 5.0.3.6 GetDelayedUsersList() method added
GetList() return now a sorted list
RestoreConfiguration() method updated, system configuration data can be ignored
SetUserTokenSeed() and SetTokenSeed() methods accept now also base32 and raw binary
The full windows package has been fixed and cleaned
2017-02-03 5.0.3.5 GetUserInfo method added
ImportTokensFromCsv fixed when the file is not readable
Fix possible endless loop when opening a file that exists but without the right to read it
2017-01-26 5.0.3.4 It's now possible to do several commands at once with the CLI edition
New overwrite_request_ldap_pwd option (enabled by default).
If overwrite is enabled, default_request_ldap_pwd value is forced during synchronization
Multiple groups per user is now supported (not all devices support multiple groups).
(radius reply attributor has been changed to += by default)
multiotp -delete-token command has been added in the CLI
-lock and -unlock command return now 19 (instead of 99) in the CLI
Better support of DialinIp functions in command line usage
New LDAP cache management to support huge AD/LDAP, with cache on disk (system temporary folder)
New PurgeLockFolder() and PurgeLdapCacheFolder() method
The default proposed TOTP/HOTP generator for Android/iOS is now FreeOTP Authenticator
Better Eastern European languages support
Multiple purpose tokens provisioning format PSKCV10,
like Gemalto e3050cL and t1050 tokens, is now supported.
Various bug fixes and enhancements when using the proxy mode.
2016-11-14 5.0.3.0 Log messages are better categorized
The user dialin IP address is synchronized from the
Active Directory msRADIUSFramedIPAddress attribute
New IP dialin methods : SetUserDialinIpAddress(), SetUserDialinIpMask(),
SetDefaultDialinIpMask(), GetUserDialinIpAddress(), GetUserDialinIpMask(),
GetDefaultDialinIpMask()
If the user dialin IP address is defined, Framed-IP-Address
and Framed-IP-Mask are delivered in the RADIUS answer
Enhanced token importation process (to support binary encryption key
in hexadecimal 0xAABBCC format)
2016-11-04 5.0.2.6 Better log message for automatically or manually created objects
External packages update
New GetUserLastLogin() and SetUserLastLogin() methods
Backup configuration file can now be restored in commercial
version without any changes
2016-10-16 5.0.2.5 Better SSL support using context if available (for PHP >= 5.3)
New methods SetTouchFolder(), GetTouchFolder(), TouchFolder(),
FolderTouched() to offer asynchronous implementation capabilities
New methods added for SOAP service
Weekly anonymized stats added (can be disabled).
Anonymized stats include the following information:
backend type, AD/LDAP used or not, OS version, PHP version,
library version, number of accounts defined, number of tokens defined.
They are sent on the stats.multiotp.net FQDN which is hosted in Switzerland.
It's possible to select a specific LDAP/AD attribute used as the synchronised
account name: SetLdapSyncedUserAttribute(), GetLdapSyncedUserAttribute()
An account can be tested from the dashboard
Unified configuration backup and restore format (BackupConfiguration)
Better support of MS-CHAPv2 in the provided appliances
Cached requests supported (cached during a specific amount of time,
useful for WebDAV authentication) (device option cache_result_enabled)
A try on the previous password is rejected,
but the error counter is not incremented
ForceNoDisplayLog() method added to disable log on display in server mode
XML parsing error are more verbose
XmlServer is now sending XML response with the specific Content-type: text/xml
YubicoOTP private id check is now implemented
SSL AD/LDAP also supported with Windows 2012 server
SyncLdapUsers is now using a semaphore file to avoid
concurrent process for large AD/LDAP sync
(tested with 1'000 groups, 100'000 users, 1'000 users in the LDAP sync group)
AD/LDAP additional log information
New GetNetworkInfo and SetNetworkInfo methods
Special chars support enhanced in LDAP class (as described in RFC4515)
The default ldap_group_cn_identifier is now cn instead of sAMAccountName
The first matching group defined in AD/LDAP group(s) filtering is now
defined for the user (this group is returned as the Filter-Id (11) option
in a successful RADIUS answer)
Enhanced SMS support for Clickatell, SSL is now also working
Bug fix concerning QRcode generation for mOTP
Code fixes
New AssignTokenToUser() and RemoveTokenFromUser() methods
2015-07-18 4.3.2.6 New ResetTempUserArray method (as we want to move away from global array in the near future)
For _user_data, default values are now extracted from the definition array
QRcode generation for mOTP (motp://[SITENAME]:[USERNAME]?secret=[SECRET-KEY])
2015-07-15 4.3.2.5 Calling multiotp CLI without parameter returns now error code 30 (instead of 19)
2015-06-24 4.3.2.4 multi_account automatic support
Scratch password generation (UTF)
2015-06-10 4.3.2.3 Enhancements for the Dev(Talks): demo
2015-06-09 4.3.2.2 Empty users are refused
TOTP time interval of imported tokens is set by default to 30s
More accuracy in the logged information
Refactoring backend methods, sharing code
Refactoring some ugly parts (!)
Documentation update concerning lockout functions and prefix PIN prefix
Special token entry 'Sms' is now also accepted, like 'SMS' or 'sms', to send an SMS token
The minus (-) in the prefix password is now supported (it was filtered to fix some rare user issues)
The autoresync option is now enabled by default
Resync during authentication (autoresync) is now better handled in the class directly
The server_cache_level is now set to 1 by default (instead of 0)
If the token length is not correct, it's now written in the log
Some LDAP messages are now only logged in debug mode
2014-12-15 4.3.1.1 Better generic LDAP support
- description sync done in the following order: description, gecos, displayName
- memberOf is not always implemented, alternative method to sync users based on group names.
- disabled account synchronization using shadowExpire or sambaAcctFlags
Better Active Directory support
- accountExpires is now supported for synchronization
- ms-DS-User-Account-Control-Computed (to handle locked out accounts, available since Windows 2003)
2014-12-09 4.3.1.0 MULTIOTP_PATH environment variable support
CLI proxy added to speed up the command line
Scratch password need also the prefix PIN if it's activated
OTP with integrated serial numbers better supported (in PAP)
Generic LDAP support (instead of Microsoft AD support only)
Raspberry Pi edition has now a special proxy to speed up the command line
2014-11-04 4.3.0.0 It's now possible to use the AD/LDAP password instead of the PIN code
Yubico OTP support, including keys import using the log file in Traditional format
qrcode() stub enhanced to check if the required folders are available
SyncLdapUsers completely redesigned
- no more complete array in memory
- MultiotpAdLdap class also enhanced accordingly
- cached group_cn requests
- cached recursive_groups requests
- new "by element" functions
Demo mode support
Bug fix concerning the NT_KEY generation with enabled prefix PIN (thanks Adam)
ResyncToken() method added (instead of using CheckToken() method for synchronization)
2014-06-12 4.2.4.3 Bug fix concerning aspsms provider
2014-04-13 4.2.4.2 XML parsing consolidation, one library for the whole project
Fixed bug concerning tokens CSV import
2014-04-06 4.2.4.1 Fixed bug concerning LDAP handling
NT_KEY support added (for FreeRADIUS further handling)
Tokens CSV import (serial_number;manufacturer;algorithm;seed;digits;interval_or_event)
When a user is deleted, the token(s) attributed to this user is/are unassigned
New option -user-info added
2014-03-30 4.2.4 Fixed bug concerning MySQL handling and mysqli support added
Enhanced SetAttributesToEncrypt function
New implementation fo some external classes
Generated QRcode are better
LOT of new QA tests, more than 60 different tests (including PHP class and command line versions)
Enhanced documentation
2014-03-13 4.2.3 Fixed bug for clear text password going back to TekRADIUS (PIN was always prefixed for mOTP)
Fixed bug when client/server mode is activated, but not working well
2014-03-03 4.2.2 Better AD/LDAP integration
Web GUI is now complete for a simple usage, including hardware tokens import
Better template for provisioning information
Some values can now go back to TekRADIUS
If activated, prefix PIN is now also requested for SMS authentication
More information in the logs
Better list of the external packages used
2014-02-14 4.2.1 AD/LDAP is now fully supported in order to create users based on AD/LDAP content
(with groups filtering)
2014-02-07 4.2.0 MS-CHAP and MS-CHAPv2 are now supported
(md4 implementation added for PHP backward compatibility)
Enhanced LDAP configuration structure
Fixed bug during token attribution to users
(a "no name" token appeared sometimes)
2014-01-20 4.1.1 md5.js was missing in the public distribution
Alternate json_encode function is defined if the JSON extension is not loaded
Fixed possible image functions incompatibilities with some PHP versions
during QRcode generation
As suggested by Sylvain, token resync doesn't need prefix PIN anymore
(but still accepted)
More verbosity in the logs in debug mode
Specific parameters order in QRCode for Microsoft Authenticator support
(thanks to Erik Nylund)
2013-12-23 4.1.0 The open source edition of multiOTP is OATH certified ;-)
(that means full compatibility with any OATH tokens and encrypted PSKC import support)
Raspberry Pi nanocomputer is now fully supported
Basic web interface
Self-registration of hardware tokens is now possible
PAP mode: if self-registration is enabled, a user can register a non-attributed token by typing
[serial number][OTP] instead of [OTP]. If user has a prefix PIN, type [serial number][PIN][OTP])
PAP/CHAP mode: if self-registration is enabled, a user can register a non-attributed token by typing
[username:serialnumber] as the username and the [OTP] in the password field.
If user has a prefix PIN, [PIN][OTP] must be typed in the password field
Automatic resync/unlock option during authentication (PAP only). When the autoresync option
is enabled, any user can resync his token by typing [OTP1] [OTP2] in the password field.
If user has a prefix PIN, he must type [PIN][OTP1] [PIN][OTP2].
Tokens with less than 3 characters are not accepted anymore in CheckToken()
Default Linux file mode is now set by default (0666 for created and changed files)
Error 28 is returned if the file is not writable, even after a successful login
Added GetUsersCount() function
Added GenerateSmsToken() function
Added Groups management functions
Added Tokens assignation functions
Added SetUserActivated(1|0) and GetUserActivated() function
Added SetUserSynchronized(1|0) and GetUserSynchronized() function
scratch_passwords is now a text field in the database
The third parameter of the Decrypt method is now mandatory
Some modifications in order to correctly handle the class methods
2013-09-22 4.0.9 Fixed a bug in GetUserScratchPasswordsArray. If a user had no scratch password
and the implementation accepted blank password, it was accepted
Fixed a bug where scratch passwords generation used odd numbers of characters for hex2bin()
2013-08-30 4.0.7 GetScriptFolder() was still buggy sometimes, thanks Frank for the feedback
File mode of the created QRcode file is also changed based on GetLinuxFileMode()
'sms' as the password to request an SMS token can now be sent in lower or uppercase
Added a description attribute for the tokens
2013-08-25 4.0.6 base32_encode() is now RFC compliant with uppercases
GetUserTokenQrCode() and GetTokenQrCode() where buggy
GetScriptFolder() use now __FILE__ if the full path is included
When doing a check in the CLI header, @... is automatically removed from the
username if the user doesn't exist, and the check is done on the clean name
Added a lot of tests to enhance release quality
2013-08-21 4.0.5 Fixed the check of the cache lifetime
Added a temporary server blacklist during the same instances
Default server timeout is now set to 1 second
2013-08-20 4.0.4 Added an optional group attribute for the user
(which will be send with the Radius Filter-Id option)
Added scratch passwords generation (if the token is lost)
Automatic database schema upgrade using method UpgradeSchemaIfNeeded()
Added client/server support with local cache
Added CHAP authentication support (PAP is of course still supported)
The encryption key is now a parameter of the class constructor
The method SetEncryptionKey('MyPersonalEncryptionKey') is DEPRECATED
The method DefineMySqlConnection is DEPRECATED
Full MySQL support, including tables creation (see example and SetSqlXXXX methods)
Added email, sms and seed_password to users attributes
Added sms support (aspsms, clickatell, intellisms, exec)
Added prefix support for debug mode (in order to send Reply-Message := to Radius)
Added a lot of new methods to handle easier the users and the tokens
General speedup by using available native functions for hash_hmac and others
Default max_time_window has been lowered to 600 seconds (thanks Stefan for suggestion)
Integrated Google Authenticator support with integrated base 32 seed handling
Integrated QRcode generator library (from Y. Swetake)
General options in an external configuration file
Comments have been reformatted and enhanced for automatic documentation
Development process enhanced, source code reorganized, external contributions are
added automatically at the end of the library after an internal build release
2011-10-25 3.9.2 Some quick fixes after intensive check
Improved get_script_dir() in CLI for Linux/Windows compatibility
2011-09-15 3.9.1 Some quick fixes concerning multiple users
2011-09-13 3.9.0 Added support for account with multiple users
2011-07-06 3.2.0 Encryption hash handling with additional error message 33
(if the key has changed)
Added more examples
Added generic user with multiple account
(Real account name is combined: "user" and "account password")
Added log options, now default doesn't log token value anymore
Debugging MySQL backend support for the token handling
Fixed automatic detection of \ or / for script path detection
2010-12-19 3.1.1 Better MySQL backend support, including in CLI version
2010-09-15 3.1.0 Removed bad extra spaces in the multiotp.php file for Linux
MySQL backend support
2010-09-02 3.0.0 Added tokens handling support
including importing XML tokens definition file
(http://tools.ietf.org/html/draft-hoyer-keyprov-pskc-algorithm-profiles-00)
Enhanced flat database file format (multiotp is still compatible with old versions)
Internal method SetDataReadFlag renamed to SetUserDataReadFlag
Internal method GetDataReadFlag renamed to GetUserDataReadFlag
2010-08-21 2.0.4 Enhancement in order to use an alternate php "compiler" for Windows command line
Documentation enhancement
2010-08-18 2.0.3 Minor notice fix
2010-07-21 2.0.2 Fix to create correctly the folders "users" and "log" if needed
2010-07-19 2.0.1 Foreach was not working well in PHP4, replaced at some places
2010-07-19 2.0.0 New design using a class, mOTP support, cleaning of the code
2010-06-15 1.1.5 Added OATH/TOTP support
2010-06-15 1.1.4 Project renamed to multiotp to avoid overlapping
2010-06-08 1.1.3 Typo in script folder detection
2010-06-08 1.1.2 Typo in variable name
2010-06-08 1.1.1 Status bar during resynchronization
2010-06-08 1.1.0 Fix in the example, distribution not compressed
2010-06-07 1.0.0 Initial implementation
Catégories / sous-catégories
Facebook Twitter RSS Google+