Closed RetiredTurtle closed 8 months ago
multiOTP
commented
8 months ago Hello, the group you set for the LDAP sync is just used to tell multiOTP which groups to load in the user database.
When using the credential provider, all users must exists in multiOTP server. It means that user2 must exists in your multiOTP server even if it has no 2FA.
Simply create a user called user2 and choos the algorithm without2FA and you should be able to login without OTP.
Best regards
RetiredTurtle
commented
8 months ago Hello again. User2 is already active directory user and multiotp credential provider installed RDP session server. Both separate servers. Multiotp main service is installed on domain controller. User1, user2, user3 and user4 are active directory users. There is no any issue on user1 and user4 when logging in with otp. User2 and user3 are in non2fa group. User1 and user4 are in with2fa group. All users present in active directory. I'm running LDAP sync command per 5 minutes with task.
multiOTP
commented
8 months ago Hello, As multiOTP Credential Provider is designed with security in mind, there is no possible IMPLICIT 2FA bypass for users. You MUST have all the users in multiOTP server. If you don't want to authentiicate with some users, these users MUST BE in the authentication server, and you can put the algorithm to without2fa for them. Please note that you can also define to synchronize AD/LDAP users that you DON'T WANT TO ASK 2FA, using the ldap-without2fa-in-group option. Regards,
RetiredTurtle
commented
8 months ago Hello again.
I'm attaching my current user-group list and multiotp server ini file values.
RetiredTurtle
commented
8 months ago @multiOTP Thanks for your support. I think i found the problem. I made a clean install server / rdp and active directory and rebuild test environment. Results were same.
I realized server's multiotp.ini and credential manager's multiotp.ini files are different. I've copied server's multiotp.ini file to credential manager's config folder, and then run ldap sync. wolaaa it works.
The problem is, credential manager doesn't sync all settings from server and it fails while querying. When settings copied to credential manager's config location it works without any issue. But I should create a task for RDP to copy ini file and then sync ldap data.
Can you confirm this?
multiOTP
commented
8 months ago Hello, multiOTP open source is a 2FA server, and multiOTP Credential Provider is a client for this 2FA server. You don't have to synchronize anything between the client and the server. They are sharing a lot of codes, but the users must only be created/synced/configured on the server part. You may be confused because multiOTP Credential Provider can also be used without a multiOTP server. In this special case, the multiOTP instance integrated inside multiOTPT Credential Provider is handling the users directly.
To sum up:
I hope that it is clear like this.
Regards,
RetiredTurtle
commented
8 months ago I mean MultiOTP credential manager doesn't get any settings from server and fails when non-OTP users logged in.
multiOTP
commented
8 months ago When you are installing multiOTP Credential Provider, it asks you for the URL of the multiOTP server. This URL is stored on the multiOTP Credential Provider side only. AD/LDAP sync must be done on the server side only. When you try to authenticate with any user on the client side, it will make a request on the server side (using the URL given at the installation), and if the user is correctly authenticated (or is without2fa), user information will stored in cache on the client side. In any case, the multiotp.ini file of the client and the server ARE NOT the same. Regards,
I've set
multiotp.exe -config ldap-in-group=”GrpMFAUsers”There are 2 users in this group and they can receive tokens correctly. But when I try to login non 2FA users, they will ask OTP too.
multiOTPWithout2FA parameter is set to 1 and it controls again user's OTP. On server side I can see only GrpMFAUsers users for OTP login.
When I enable debug, server returns
But credential provider shouldn't ask for this user. Because this user is not in OTP group. On server side web interface I can't see this user normally.
Also I've tried WithoutMFA group, synced, restarted servers but same result.