Serious Problem : Account loss (by design : security measure if account is no more available in the AD/LDAP during successful sync)

multiOTP / multiOTPCredentialProvider

multiOTP Credential Provider is a V2 Credential Provider for Windows 7/8/8.1/10/2012(R2)/2016 with options like RDP only and UPN name support

Apache License 2.0

228 stars 75 forks source link

Serious Problem : Account loss (by design : security measure if account is no more available in the AD/LDAP during successful sync) #75

Closed tc01435 closed 1 year ago

tc01435 commented 1 year ago

Multiple tests revealed the following problem. Computer only synchronize a specified AD account lisa can use WITHOUT2FA login, when I add a new AD account coco, coco.db file is available, but found that the previous lisa.db file under C:\Program Files (x86)\multiOTP\users sometimes disappeared, resulting in the original account lisa can not log into the computer anymore, WHY? The script is added in the following way cd C:\Program Files (x86)\multiOTP multiotp -config ldap-users-dn="CN=coco,OU=TEST,DC=SC,DC=cn" multiotp -ldap-users-sync

multiOTP commented 1 year ago

Hello,

If you want several users to be synchronized into multiOTP using AD/LDAP, the best way is to install a "multiOTP open source" server on an other server, and connect your multiOTP Credential Provider to the multiOTP open source server. Create a group in AD/LDAP and synchronizing this group with the multiOTP open source server. Install multiOTP Credential Provider on your computer(s) and connect it to your multiOTP open source server. This way, you have a central 2FA server for all your computers. Regards,

tc01435 commented 1 year ago

How to install a "multiOTP open source" server on an other server

tc01435 commented 1 year ago

Where are the installation packages and tutorials available

multiOTP commented 1 year ago

Hello, The repository for the multiOTP open source server is here : https://github.com/multiOTP/multiOTP Regards,

multiOTP commented 1 year ago

Please not also that by default, if an account is not existing anymore during AD/LDAP sync for at least 30 days, multiOTP open source server will delete it during the next successful sync process.

This option is explained in the readme of the multiOTP server:

 multiotp -sync-delete-retention-days=days of retention before deleting a no
                                      more existing AD/LDAP user
                                      (0=disable only the user, do not delete)

multiOTP commented 1 year ago

This is of course a security measure, if you sync AD/LDAP and the user doesn't exist in the AD/LDAP anymore, you don't want to give it access anymore. Please note also that you should schedule the AD/LDAP to something like at least every hour or every day. The commercial edition do the schedule automatically, but in the open source edition, you will have to schedule it yourself.