Feature Request: Without2fa group for active directory sync?

[thraxarious]

Been looking this over, and I realize the without2fa feature is somewhat new, but it would really help to have a way to add AD users to a "without2fa" group and have the multiOTP system sync them in.

This is mostly to add basic users for regular use and have some admins required to use 2FA. That would be immensely helpful.

[multiOTP]

Hello,

Since version 5.9.5.1 (2022-11-11), "It's now possible to define a special AD/LDAP group to attribute "Without2FA" token to specific users"

In the readme.md: (...) multiotp -config option1=value1 option2=value2 ... optionN=valueN (...) ldap-without2fa-in-group: Special LDAP/AD group(s) for without2fa users (...)

Example: multiotp -config ldap-without2fa-in-group=the_without_2fa_group

Thanks in advance for your feedback.

Best regards,

[thraxarious]

I must have missed that in the documentation. Thanks!

[thraxarious]

Might be having some trouble, I only see one incident of the parameter and it's stuck in a wall of text. So far I am not getting that to work.

Reply-Message := "ERROR: Authentication failed (and other possible unknown errors)"

This is before the sync is started. Once I start the sync, no users are synced in that group. Is this feature bugged? Or is the usage different?

It sounds like it tries to grab the group before it connects to the LDAP source.

[thraxarious]

/usr/local/bin/multiotp/multiotp.php -config ldap-in-group="MFA" /usr/local/bin/multiotp/multiotp.php -config ldap-without2fa-in-group="NoMFA"

[multiOTP]

Hello "thraxarious",

DId you set-up correctly all the other options to sync your LDAP ?

Try to launch a sync in debug mode, with displaying information, to have more verbose information.

multiotp -debug -display-log -ldap-users-sync

Which users are syncing, and which are not ?

Please note also that every options are written in the multiotp.ini file. If you are still in trouble, you could try to send us your multiotp.ini file.

Regards,

Andre

[thraxarious]

Thank you for the reply.

The settings are correct. I am able to set the in group, and those users come through.

This is from the MultiOTP Debian 11 VM appliance. using the command line. Adding 2FA users via Active Directory LDAP source works fine, but without2fa does not. This is being run via the php in /usr/local/bin/multiotp/multiotp.php

LOG 2023-03-04 02:29:14 debug LDAP Debug: *AD/LDAP synchronization started at 02:29:14 / Memory used: 1.6MB / Peak: 1.6MB

LOG 2023-03-04 02:29:14 info LDAP Info: AD/LDAP synchronization started

LOG 2023-03-04 02:29:14 debug System Debug: *LDAP cache folder value: /tmp/.ldap_cache/

LOG 2023-03-04 02:29:14 info LDAP Info: No update for the 2 LDAP synced users, based on 2 LDAP entries (processed in 00:00:00) 19 *INFO: Requested operation successfully done

the last line is your sync script exactly. That part works. But trying to set the without2fa variable generates the error.

Reply-Message := "ERROR: Authentication failed (and other possible unknown errors)"

There are 2 users in my test MFA group, and 1 user in my NoMFA group.

I have tried to add the setting in the multiotp.ini, but it is not recognizing the setting. Both the command line and the ini file using underscores and hyphens.

ldap-without2fa-in-group=NoMFA ldap_without2fa_in_group=NoMFA

[thraxarious]

Nevermind, I see the problem,. The VM appliance is version 5.9.0.1, current is 5.9.5.5 Doesn't seem to update with apt-get. Will have to manually update everything.

Bah! I should have seen this earlier.