As both of the methods described below require LDAP to identify the user, the requirement for this is a correctly set LDAP configuration. You can specify your LDAP or LDAPS server (or servers) by navigating to Admin Panel, then selecting LDAP Settings.
Please note that the first parameter (LDAP) only controls the LDAP proxy mode of TOTPRadius and not the LDAP enrollment portals. LDAP enrollment portals are controlled by "Allow LDAP enrollment" and "Allow LDAP web enrollment" settings as described further in this guide.
This option enables the legacy LDAP self-service enrollment portal accessible inside your LAN (it is hosted on the same web interface as the TOTPRadius web admin page). While it is fully active, it is missing the new features that is available with the new internet facing self-service portal (explained in the next section). The legacy LDAP portal by default will redirect to the new portal ("/vpn/ldap/" - controlled by "Ldap web url redirect" parameter). The only use case for keeping the legacy portal accessible is when you want to allow TOTP app re-enrollment: this is not possible on the internet-facing LDAP portal.
The new portal allows enrollment from external (public internet facing) Web VPN portal. Only initial enrollment will be allowed, changing TOTP secret is possible using internal LDAP enrollment page or from the admin portal.
The enrollment process is described below:
Enrolling software tokens
In addition to software token enrollment, the new portal also allows hardware token enrollment:
The enrollment process is described below: