multiotp icon indicating copy to clipboard operation
multiotp copied to clipboard

Published 20 hours ago verified publisher icon multiOTP

TOTP Token timestep is 0 when a without2fa ldap synced user is moved to the TOTP active ldap group

Open joricmrv opened this issue 1 year ago • 7 comments

Hi,

Thank you for the good work ! Using multiOTP 5.9.7.1, we have this issue :

Some users are created from ldap sync "without2fa" and we want to step by step activate the TOTP for those users, changing them from the "NOOTP" group to the "OTP" group.

When we move a user to the OTP group, the algorithm for this user is well defined (TOTP) we can also generate qr. But the authentication do not work.

In fact, it appears those specific users have the "Token timestep" value to 0 : image

image

I think this is the root cause of this issue.

We tried to find a way to dynamically change this "token timestep" value, but no luck. The only way to have the user working with TOTP is to delete it, then resync it with the right ldap group.

This workaround is kinda complicated to deal with, as we have a lot of users to sync.

We also tried to take a user already TOTP and switch him in without2fa group, then switch back in TOTP and this time, no issues.

Do you know how we can edit the "token timestep" for a user without deleting it? we should be able to make a script that check for the potentials 0 values and correct them as a workaround.

Can you help us with this?

joricmrv avatar Jan 10 '24 15:01 joricmrv

Hello, could you send us ([email protected]) the username.db file that is stored in /etc/multiotp/users Best regards

multiOTP avatar Jan 11 '24 11:01 multiOTP

Hi,

I sent you the db file.

Have a nice day, Best regards,

joricmrv avatar Jan 13 '24 18:01 joricmrv

Thanks, have you tried to change the "time_interval" to 30 and generate the QRCode again. The time_interval is part of the QRCode data.

multiOTP avatar Jan 15 '24 07:01 multiOTP

I tried to change the Time interval with -set user command but can't find the right command for the token timestep.

As a workaround i will iterate through each user to see if this token is well set to 30.

Can you give me this command?

Best regards,

joricmrv avatar Jan 15 '24 07:01 joricmrv

You can use this command : multiotp -set USERNAME time_interval=30

Then generate a new QRcode, scan it with your application and try to authenticate. Does it work ?

multiOTP avatar Jan 15 '24 07:01 multiOTP

Hi,

Thank you for the command. That's working with a 30 sec interval.

I will apply this fix in my ldap sync script.

Thank you again!

have a nice day, Best regards,

joricmrv avatar Jan 15 '24 13:01 joricmrv

Thanks for the feedback, we will correct this behaviour as soon as possible.

multiOTP avatar Jan 15 '24 14:01 multiOTP