-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
V5.2.0.2 38 ERROR: User is desactivated #38
Comments
I can confirm they only deactivate when an AD Sync is performed. The AD sync is only deactivating some users and not all. These users are all in the same ou, same groups, and are all active in AD. Yet certain ones become deactivated on OTP when AD sync runs. I cannot find anything between users that is different to explain why the deactivated ones deactivate and the others don't. |
Hello Jonathan, |
I had -display-log on but not -debug... With -Debug I see
This hasn't been changed in AD... Users are still there in those OU's same server same ip address. |
I cannot find any reason for these users to deactivate. Why would it not find the same users in the same location they have always been but still be able to find other users in that same location. None of them have been moved or changed yet a handful cannot be found. |
Hello, Thanks |
td.local --> MyBusiness --> Users --> SBSUsers --> Test User td.local --> MyBusiness --> Users --> SBSUsers --> Testy Testerson td.local --> MyBusiness --> Users --> SBSUsers --> Al C Aholic There are 3 users - all in the same OUs/CN on the same domain. None of the accounts have ever been moved or disabled in AD. So I am not entirely sure why it keeps disabling those 2 accounts when sync runs |
It may be the space in the username. Do you have other user with space in username that are not deactivated ? |
Ohhh wait wait wait... I see what you are asking before with real usernames/groups. Usernames are not spaced - The actual usernames in OTP are listed like So their usernames contain no spaces at all. Everything still works great in v5.1.1.2 -- this only happens in 5.2.0.2 |
Ok, the algorithm for importing users from AD has been review in version 5.2.0.2 and it looks like there is a probleme. |
Yea every user is in several different groups on the domain. |
for one user can you please send me all the groups he belongs to in order for me to reproduce the probleme. You can send me a hand drawing to info@multiotp.net |
user account/logon nam: alcaholic groups this user is in
|
What is the exact content of the "ldap_in_group" you are using ? |
Not sure what you are asking ldap_in_group=SecureLogon I have already told you guys the contents of SecureLogon a few posts above... td.local --> MyBusiness --> Users --> SBSUsers --> Test User td.local --> MyBusiness --> Users --> SBSUsers --> Testy Testerson td.local --> MyBusiness --> Users --> SBSUsers --> Al C Aholic |
Hello, |
I see now... I just keep typing it as "SecureLogon" |
Hello Jonathan, |
I won't be able to provide remote access. Sorry. Everyone is in group "SecureLogonTest" this is the group that the ad sync looks for users in. I just remembered the name incorrectly when I responded here. If you guys have been testing this and not able to reproduce it, then it could just be something wrong in the test ad. I am going to clean everything off and start over with a clean install of the 5.2 and see what happens. When I get time to do it. |
The original test install I linked to AD using "Administrator" which is a full admin and domain admin. Sync worked just fine. Later on this test install I changed this account to "OTPADLink" which is a regular user account. AD Sync wasn't failing but I didn't realize it was disabling accounts until we ran into these issues. Today I completely removed multiOTP and reinstalled it clean. Made a totally new group called "Secure" Then I added the sync user "OTPADLink" to the "Domain Admins" group and sync began to work again. I just know when I gave domain admin to OTPADLink everything came back. I am now adding users back to the secure group and syncing them in to the clean install. |
Ok, thanks for the feedback ! |
What conditions trigger a "desactivation" in our test environment OTP has been working pretty good but then I tested an upgrade to v5.2.0.2
The server is on 5.2 -- Synchronizing users from AD
all workstations are on 5.2
Every user account except for one user is being "desactivated"
I reactivate them and a day or so later they are "desactivated" again.
This is a mix of workstations that are removed from network for hours to days at a time and workstations that are generally on network 24/7.
We had a laptop offline for 8 hours. Put it back online, tried to logon and received the "desactivated" error. We have a workstation always on network that we let sleep and hibernate for several hours. Same results when a separate user tries to logon.
Users will try to logon and receive "User is desactivated"
I see in documentation where it says
However these users are not deactivated ("desactivated") in AD and haven't been. So why is OTP desactivating them..
The text was updated successfully, but these errors were encountered: