multiotp icon indicating copy to clipboard operation
multiotp copied to clipboard

Published 20 hours ago verified publisher icon multiOTP

LDAP sync not working with low privilege account?

Open Cool34000 opened this issue 11 months ago • 4 comments

Hi,

Using multiOTP v5.9.7.1 I've done a basic LDAP setup but I can't find a way to synchronize my users. I've created a dedicated user to read in AD and a dedicated group located in an OU This dedicated group contains 2 users : the Administrator and a test account (located in another OU)

Setup is like this :

multiotp.exe -config default-request-prefix-pin=0
multiotp.exe -config default-request-ldap-pwd=0
multiotp.exe -config ldap-server-type=1
multiotp.exe -config ldap-cn-identifier="sAMAccountName"
multiotp.exe -config ldap-group-cn-identifier="sAMAccountName"
multiotp.exe -config ldap-group-attribute="memberOf"
multiotp.exe -config ldap-ssl=0
multiotp.exe -config ldap-port=389
multiotp.exe -config ldap-domain-controllers=ldap://ServerIP:389
multiotp.exe -config ldap-base-dn="DC=domain,DC=local"
multiotp.exe -config ldap-bind-dn="CN=multiotp,CN=Users,DC=domain,DC=local"
multiotp.exe -config ldap-server-password="Password"
multiotp.exe -config ldap-in-group="MFA Users"
multiotp.exe -config ldap-network-timeout=10
multiotp.exe -config ldap-time-limit=30
multiotp.exe -config ldap-activated=1
multiotp.exe -config server-secret="SharedSecret"
multiotp.exe -debug -display-log -ldap-users-sync

When I sync the users, it only finds the Administrator account. If I remove the group (multiotp.exe -config ldap-in-group=) all AD users are found.

Any hint?

Cool34000 avatar Mar 07 '24 13:03 Cool34000

I've rebuilt my test lab from scratch and I searched a lot but I'm still stuck...

Users with MFA enabled: image

Users with MFA disabled: image

My config file:

ldap_expired_password_valid=1
ldap_account_suffix=
ldap_activated=1
ldap_base_dn=DC=laboratoire,DC=local
ldap_bind_dn=CN=ldap,CN=Users,DC=laboratoire,DC=local
ldap_cache_folder=
ldap_cache_on=1
ldap_cn_identifier=sAMAccountName
ldap_default_algorithm=totp
ldap_domain_controllers=srv-ad.laboratoire.local,ldap://192.168.30.1:389
ldap_filter=
ldap_group_attribute=memberOf
ldap_group_cn_identifier=sAMAccountName
ldap_users_dn=DC=laboratoire,DC=local
ldap_hash_cache_time=604800
ldap_in_group=Utilisateurs avec MFA
ldap_language_attribute=preferredLanguage
ldap_network_timeout=10
ldap_port=389
ldap_recursive_cache_only=0
ldap_recursive_groups=1
ldap_server_password:XXXXX-HIDDEN-XXXXX
ldap_server_type=1
ldap_ssl=0
ldap_synced_user_attribute=
ldap_time_limit=30
ldap_without2fa_in_group=Utilisateurs sans MFA
ldaptls_reqcert=
ldaptls_cipher_suite=

Sync only sees the admin account while it should find 4 more users (2 without 2fa): image image

Cool34000 avatar Mar 09 '24 11:03 Cool34000

Little update I've tested the Linux appliance (then updated it to latest version) and it is working as expected: image

So the problem seems to be on Windows only (tested not working on 2019 and 2022 Server)

Cool34000 avatar Mar 09 '24 15:03 Cool34000

I finally found the problem: it's not related to Windows! Doing my tests on the Linux appliance, I used the Administrator account.

It seems that the user that reads in the AD cannot be a simple user (member of "Domain Users") If I add the user that do the binding in the "Administrators" group, it works. It also work if the user is "only" member of "Accounts Operator" group.

So my question is why multiOTP needs to have a privileged account? My AD server is a bit hardened, but I never had a problem (ie: I use the same account to read the members of "VPN SSL" group in my Fortigate and it works)

Can somebody confirm this rights are needed and if so what is the minimum privilege needed? Thanks!

Cool34000 avatar Mar 09 '24 16:03 Cool34000

Hello, in our test environnement we have a standard AD server and we can sync the users using a regular user included in the group "Domain users"

Best regards

multiOTP avatar Mar 14 '24 14:03 multiOTP