Comments (20)
I can confirm they only deactivate when an AD Sync is performed.
The AD sync is only deactivating some users and not all. These users are all in the same ou, same groups, and are all active in AD. Yet certain ones become deactivated on OTP when AD sync runs.
I cannot find anything between users that is different to explain why the deactivated ones deactivate and the others don't.
from multiotp.
Hello Jonathan,
Please download the 5.2.0.3-beta-1 package here : https://download.multiotp.net/beta/
If debug mode is activated, it gives a lot of details about synchronized users, and the reason why the user is disabled.
Thanks to keep us in touch after checking the log.
Regards,
from multiotp.
I had -display-log on but not -debug...
With -Debug I see
LOG 2018-07-26 12:47:22 debug Debug Debug: *AD/LDAP will disabled: account not f
ound anymore in the AD/LDAP with the specified filters (synchronized last time t
he 2018-07-23 10:41:28) with server 10.1.0.6, in group SecureLogonTest, DN was CN=Test User,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=td,DC=local)
This hasn't been changed in AD... Users are still there in those OU's same server same ip address.
So I am not entirely sure why it has issues now when it worked before. I am going to keep testing and debugging this to see what I can find.
from multiotp.
I cannot find any reason for these users to deactivate. Why would it not find the same users in the same location they have always been but still be able to find other users in that same location.
None of them have been moved or changed yet a handful cannot be found.
from multiotp.
Hello,
can you please send us the real username of some user that have been deactivated. And also the real group name.
Thanks
from multiotp.
td.local --> MyBusiness --> Users --> SBSUsers --> Test User
User in group SecureLogon
td.local --> MyBusiness --> Users --> SBSUsers --> Testy Testerson
User in group SecureLogon
td.local --> MyBusiness --> Users --> SBSUsers --> Al C Aholic
User in group SecureLogon
There are 3 users - all in the same OUs/CN on the same domain.
When AD Sync runs - Test User and Testy Testerson are disabled -- says they are not found. The Al user is left alone and remains active without issues.
None of the accounts have ever been moved or disabled in AD. So I am not entirely sure why it keeps disabling those 2 accounts when sync runs
from multiotp.
It may be the space in the username. Do you have other user with space in username that are not deactivated ?
from multiotp.
Ohhh wait wait wait... I see what you are asking before with real usernames/groups.
Usernames are not spaced - The actual usernames in OTP are listed like
Test User = testu
Testy Testerson = Testy
Al C Aholic = alcaholic
So their usernames contain no spaces at all.
They are all in group SecureLogon
Everything still works great in v5.1.1.2 -- this only happens in 5.2.0.2
from multiotp.
Ok, the algorithm for importing users from AD has been review in version 5.2.0.2 and it looks like there is a probleme.
Can you tell me if the desactivated users are included in othe groups ?
Thanks for your help
Yann
from multiotp.
Yea every user is in several different groups on the domain.
from multiotp.
for one user can you please send me all the groups he belongs to in order for me to reproduce the probleme. You can send me a hand drawing to [email protected]
from multiotp.
user account/logon nam: alcaholic
groups this user is in
Administrator Templates (security group)
Administrator (built in)
Domain Admins (users)
Domain Users (users)
SecureLogon (security group)
Test Distribution (distribution group)
from multiotp.
What is the exact content of the "ldap_in_group" you are using ?
Regards,
from multiotp.
Not sure what you are asking
ldap_in_group=SecureLogon
I have already told you guys the contents of SecureLogon a few posts above...
td.local --> MyBusiness --> Users --> SBSUsers --> Test User
User in group SecureLogon
td.local --> MyBusiness --> Users --> SBSUsers --> Testy Testerson
User in group SecureLogon
td.local --> MyBusiness --> Users --> SBSUsers --> Al C Aholic
User in group SecureLogon
from multiotp.
Hello,
Yes, sure, but 22 days ago,m in the extract of the log you provide, the groupe SecureLogonTest is mentionned for the user which is removed:
LOG 2018-07-26 12:47:22 debug Debug Debug: *AD/LDAP will disabled: account not f
ound anymore in the AD/LDAP with the specified filters (synchronized last time t
he 2018-07-23 10:41:28) with server 10.1.0.6, in group SecureLogonTest, DN was CN=Test User,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=td,DC=local)
Could you confirm that the group SecureLogonTest was used before ?
Regards,
from multiotp.
I see now...
The group is SecureLogonTest
I just keep typing it as "SecureLogon"
from multiotp.
Hello Jonathan,
We are sorry, but we cannot reproduce your problem, and it's difficult for us to understand what's happening as we don't receive always the exact information (we were for example evaluating how a partial aggregation of the name of the last two groups "SecureLogon" and "Test Distribution" in "SecureLogonTest" was previsously done, and you just told us now that the group name is SecureLogonTest).
How many entries do you have in your Active Directories ?
We have checked the last version of our open source library with an Active Directory with more than 200'000 entries, nested groups, 10'000 users in the synchronized groups, and we didn't found any problem.
Is it be possible to arrange a remote access on your infrastructure next week in order to check this stuff (check of the content of the Active Directory and test of the Active Directory filters by using directly the Softerra LDAP Browser, check of the exact configuration of multiotp.ini, etc.)
Regards,
from multiotp.
I won't be able to provide remote access. Sorry.
Everyone is in group "SecureLogonTest" this is the group that the ad sync looks for users in. I just remembered the name incorrectly when I responded here.
If you guys have been testing this and not able to reproduce it, then it could just be something wrong in the test ad. I am going to clean everything off and start over with a clean install of the 5.2 and see what happens. When I get time to do it.
from multiotp.
The original test install I linked to AD using "Administrator" which is a full admin and domain admin.
Sync worked just fine. Later on this test install I changed this account to "OTPADLink" which is a regular user account. AD Sync wasn't failing but I didn't realize it was disabling accounts until we ran into these issues.
Today I completely removed multiOTP and reinstalled it clean. Made a totally new group called "Secure"
Added one of the trouble users who kept deactivating to "Secure" group and AD Sync wouldn't import/create the user. I could see where it saw the user in group but it ignored it.
Then I added the sync user "OTPADLink" to the "Domain Admins" group and sync began to work again.
I think this whole issue came about because of me previously changing sync users. I don't know why it could still sync one account but not others when it was changed though. That part makes no sense.
I just know when I gave domain admin to OTPADLink everything came back. I am now adding users back to the secure group and syncing them in to the clean install.
from multiotp.
Ok, thanks for the feedback !
from multiotp.
Related Issues (20)
- Multitotp behind a reverse proxy HOT 5
- Cache too old for user HOT 5
- cant login in docker image HOT 1
- Wrong One-Time Passcode (OTP) Issue During Login HOT 4
- Migration to organization HOT 5
- Imported HW token (SafeNet OTP 110) authentication fails (internal clock has probably drifted) HOT 4
- Authentication Issue with MultiOTP, RADIUS, and AD Password Prefix for CHAP Protocol HOT 2
- Rest API HOT 1
- fail when password is expired HOT 4
- RDP (mstsc.exe) keeps crashing with Windows Server 2012 R2 HOT 1
- Slow Response HOT 4
- RDweb + multiOTP problem Windows 2022 HOT 11
- 502 Bad Gateway HOT 5
- TOTP Token timestep is 0 when a without2fa ldap synced user is moved to the TOTP active ldap group HOT 7
- OTP code length change HOT 5
- Backup needs _temp folder - included in zip file? HOT 1
- Feature request : Hide default Username / Password after changed #146 isn't working HOT 1
- Problem Syntax Username from RDWeb - MultiOTP HOT 6
- LDAP sync not working with low privilege account? HOT 4
- Few questions about multiOTP HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from multiotp.