V5.2.0.2 38 ERROR: User is desactivated

[Jonathan-Garber]

What conditions trigger a "desactivation" in our test environment OTP has been working pretty good but then I tested an upgrade to v5.2.0.2

The server is on 5.2 -- Synchronizing users from AD
all workstations are on 5.2

Every user account except for one user is being "desactivated"
I reactivate them and a day or so later they are "desactivated" again.

This is a mix of workstations that are removed from network for hours to days at a time and workstations that are generally on network 24/7.

We had a laptop offline for 8 hours. Put it back online, tried to logon and received the "desactivated" error. We have a workstation always on network that we let sleep and hibernate for several hours. Same results when a separate user tries to logon.

Users will try to logon and receive "User is desactivated"

I see in documentation where it says

 (users removed or desactivated in the AD/LDAP are desactivated in multiOTP)

However these users are not deactivated ("desactivated") in AD and haven't been. So why is OTP desactivating them..

[Jonathan-Garber]

I can confirm they only deactivate when an AD Sync is performed.

The AD sync is only deactivating some users and not all. These users are all in the same ou, same groups, and are all active in AD. Yet certain ones become deactivated on OTP when AD sync runs.

I cannot find anything between users that is different to explain why the deactivated ones deactivate and the others don't.

[multiOTP]

Hello Jonathan,
Please download the 5.2.0.3-beta-1 package here : https://download.multiotp.net/beta/
If debug mode is activated, it gives a lot of details about synchronized users, and the reason why the user is disabled.
Thanks to keep us in touch after checking the log.
Regards,

[Jonathan-Garber]

I had -display-log on but not -debug...

With -Debug I see

LOG 2018-07-26 12:47:22 debug Debug Debug: *AD/LDAP will disabled: account not f
ound anymore in the AD/LDAP with the specified filters (synchronized last time t
he 2018-07-23 10:41:28) with server 10.1.0.6, in group SecureLogonTest, DN was CN=Test User,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=td,DC=local)

This hasn't been changed in AD... Users are still there in those OU's same server same ip address.
So I am not entirely sure why it has issues now when it worked before. I am going to keep testing and debugging this to see what I can find.

[Jonathan-Garber]

I cannot find any reason for these users to deactivate. Why would it not find the same users in the same location they have always been but still be able to find other users in that same location.

None of them have been moved or changed yet a handful cannot be found.

[multiOTP]

Hello,
can you please send us the real username of some user that have been deactivated. And also the real group name.

Thanks

[Jonathan-Garber]

td.local --> MyBusiness --> Users --> SBSUsers --> Test User
User in group SecureLogon

td.local --> MyBusiness --> Users --> SBSUsers --> Testy Testerson
User in group SecureLogon

td.local --> MyBusiness --> Users --> SBSUsers --> Al C Aholic
User in group SecureLogon

There are 3 users - all in the same OUs/CN on the same domain.
When AD Sync runs - Test User and Testy Testerson are disabled -- says they are not found. The Al user is left alone and remains active without issues.

None of the accounts have ever been moved or disabled in AD. So I am not entirely sure why it keeps disabling those 2 accounts when sync runs

[multiOTP]

It may be the space in the username. Do you have other user with space in username that are not deactivated ?

[Jonathan-Garber]

Ohhh wait wait wait... I see what you are asking before with real usernames/groups.

Usernames are not spaced - The actual usernames in OTP are listed like
Test User = testu
Testy Testerson = Testy
Al C Aholic = alcaholic

So their usernames contain no spaces at all.
They are all in group SecureLogon

Everything still works great in v5.1.1.2 -- this only happens in 5.2.0.2

[multiOTP]

Ok, the algorithm for importing users from AD has been review in version 5.2.0.2 and it looks like there is a probleme.
Can you tell me if the desactivated users are included in othe groups ?
Thanks for your help
Yann

[Jonathan-Garber]

Yea every user is in several different groups on the domain.

[multiOTP]

for one user can you please send me all the groups he belongs to in order for me to reproduce the probleme. You can send me a hand drawing to info@multiotp.net

[Jonathan-Garber]

user account/logon nam: alcaholic

groups this user is in

Administrator Templates (security group)
Administrator (built in)
Domain Admins (users)
Domain Users (users)
SecureLogon (security group)
Test Distribution (distribution group)

[multiOTP]

What is the exact content of the "ldap_in_group" you are using ?
Regards,

[Jonathan-Garber]

Not sure what you are asking

ldap_in_group=SecureLogon

I have already told you guys the contents of SecureLogon a few posts above...

td.local --> MyBusiness --> Users --> SBSUsers --> Test User
User in group SecureLogon

td.local --> MyBusiness --> Users --> SBSUsers --> Testy Testerson
User in group SecureLogon

td.local --> MyBusiness --> Users --> SBSUsers --> Al C Aholic
User in group SecureLogon

[multiOTP]

Hello,
Yes, sure, but 22 days ago,m in the extract of the log you provide, the groupe SecureLogonTest is mentionned for the user which is removed:
LOG 2018-07-26 12:47:22 debug Debug Debug: *AD/LDAP will disabled: account not f
ound anymore in the AD/LDAP with the specified filters (synchronized last time t
he 2018-07-23 10:41:28) with server 10.1.0.6, in group SecureLogonTest, DN was CN=Test User,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=td,DC=local)
Could you confirm that the group SecureLogonTest was used before ?
Regards,

[Jonathan-Garber]

I see now...
The group is SecureLogonTest

I just keep typing it as "SecureLogon"

[multiOTP]

Hello Jonathan,
We are sorry, but we cannot reproduce your problem, and it's difficult for us to understand what's happening as we don't receive always the exact information (we were for example evaluating how a partial aggregation of the name of the last two groups "SecureLogon" and "Test Distribution" in "SecureLogonTest" was previsously done, and you just told us now that the group name is SecureLogonTest).
How many entries do you have in your Active Directories ?
We have checked the last version of our open source library with an Active Directory with more than 200'000 entries, nested groups, 10'000 users in the synchronized groups, and we didn't found any problem.
Is it be possible to arrange a remote access on your infrastructure next week in order to check this stuff (check of the content of the Active Directory and test of the Active Directory filters by using directly the Softerra LDAP Browser, check of the exact configuration of multiotp.ini, etc.)
Regards,

[Jonathan-Garber]

I won't be able to provide remote access. Sorry.

Everyone is in group "SecureLogonTest" this is the group that the ad sync looks for users in. I just remembered the name incorrectly when I responded here.

If you guys have been testing this and not able to reproduce it, then it could just be something wrong in the test ad. I am going to clean everything off and start over with a clean install of the 5.2 and see what happens. When I get time to do it.

[Jonathan-Garber]

The original test install I linked to AD using "Administrator" which is a full admin and domain admin.

Sync worked just fine. Later on this test install I changed this account to "OTPADLink" which is a regular user account. AD Sync wasn't failing but I didn't realize it was disabling accounts until we ran into these issues.

Today I completely removed multiOTP and reinstalled it clean. Made a totally new group called "Secure"
Added one of the trouble users who kept deactivating to "Secure" group and AD Sync wouldn't import/create the user. I could see where it saw the user in group but it ignored it.

Then I added the sync user "OTPADLink" to the "Domain Admins" group and sync began to work again.
I think this whole issue came about because of me previously changing sync users. I don't know why it could still sync one account but not others when it was changed though. That part makes no sense.

I just know when I gave domain admin to OTPADLink everything came back. I am now adding users back to the secure group and syncing them in to the clean install.

[multiOTP]

Ok, thanks for the feedback !