AD users of child domains are not synchronized

AndrewAndrew
in General

Good day.

The service is deployed on the MS hypervisor image multiOTP-open-source-hyperv-5.9.0.3. Updated to version 5.9.9.1 .

Synchronization is configured with the AD main domain zao-agrokomplex.ru. Everything works fine. Clients are synchronized. Users log in to RDP and locally with 2FA. Everything works fine.

But the problem is that there are subdomains RTL.zao-agrokomplex.ru and BRCH.zao-agrokomplex.ru. And users are not synchronized from these child domains.

I tried adding them to one common universal security group of the parent domain. There are no new users during synchronization. I also tried specifying security groups of child domains. The problem with synchronization is still there are no new users.

I specified child DN addresses in "ldap_users_dn". Also to no avail. The logs only show this:

info LDAP Info: No update for the 19 LDAP synced users, based on 22 LDAP entries (processed in 00:00:32)

Please tell me how to correctly configure multiOTP in a Multi-Domain environment?

Here is the multitop.ini setting

./multiotp.php -config multiple-groups=1 encryption_hash= XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX log=1 actual_version=5.9.9.1 admin_password_hash:=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX anonymous_stat=1 anonymous_stat_last_update=1739180575 anonymous_stat_random_id=bf1a00eccdad7abc033240359cda6ba160263447 attributes_to_encrypt= auto_resync=1 backend_encoding=UTF-8 backend_type=files backend_type_validated=0 cache_data=0 cache_ldap_hash=1 case_sensitive_users=0 challenge_response_enabled=0 clear_otp_attribute= console_authentication=0 create_host=multiotp create_time=1739180574 debug=0 default_algorithm=totp default _dialin_ip_mask= default_user_group= default_request_ldap_pwd=0 default_request_prefix_pin=0 demo_mode=0 developer_mode=0 display_log=0 domain_name= email_admin_address= email_code_allowed=0 email_code_timeout=600 email_digits=6 encode_file_id=0 encryption_key_full_path= failure_delayed_time=300 group_attribute=Filter-Id hash_salt_full_path= issuer=multiOTP language=en last_failed_white_delay=60 last_sync_update=0 las t_sync_update_host= last_update=1739257821 last_update_host=multiotp ldap_expired_password_valid=1 ldap_account_suffix=@zao-agrokomplex.ru ldap_activated=1 ldap_base_dn=DC=zao-agrokomplex,DC=ru ldap_bind_dn=2FA-srv-motp ldap_cache_folder= ldap_cache_on=1 ldap_cn_identifier=sAMAccountName ldap_default_algorithm=totp ldap_domain_controllers=srv-dc01.zao-agrokomplex.ru,ldaps://10.10.10.10:636 ldap_group_attribute=memberO f ldap_group_cn_identifier=sAMAccountName ldap_users_dn=DC=zao-agrokomplex,DC=ru;DC=RTL,DC=zao-agrokomplex,DC=ru;DC=BRCH,DC=zao-agrokomplex,DC=ru ldap_hash_cache_time=604800 ldap_in_group=gr-agr-2FA-mOTP,RETAIL-2FA-mOTP ldap_language_attribute=preferredLanguage ldap_network_timeout=60 ldap_port=636 ldap_recursive_cache_only=0 ldap_recursive_groups=3 ldap_server_password:=xxxxxxxxxxxxxxxxxxxxxxxxxxxx ldap_server_type=1 ldap_ssl=1 ldap_synced_user_attribute= ldap_time_limit=600 ldaptls_reqcert= ldaptls_cipher_suite= max_block_failures=6 max_delayed_failures=3 max_event_resync_window=10000 max_event_window=100 max_time_resync_window=90000 max_time_window=600 multiple_groups=0 ntp_server=10.0.200.80 overwrite_request_ldap_pwd=1 radius_error_reply_message=1 radius_reply_attributor= += radius_reply_separator_hex=2c radius_tag_prefix= scratch_passwords_digits=6 scratch_passwords_amount=10 self_registration=1 server_cache_level=1 server_cache_lifetime=15552000 server_secret:=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX server_timeout=10 server_type= server_url= sms_api_id:= sms_basic_auth=0 sms_code_allowed=1 sms_content_encoding= sms_content_success= sms_digits= 6 sms_encoding= sms_header= sms_international_format=0 sms_ip= sms_message_prefix= sms_method= sms_no_double_zero=0 sms_originator=multiOTP sms_password:= sms_port= sms_provider= sms_send_template= sms_status_success= sms_timeout=180 sms_url= sms_userkey:= smtp_auth=0 smtp_password:= smtp_port=25 smtp_sender= smtp_sender_name= smtp_server= smtp_ssl=0 smtp_username= sql_ser ver= sql_username= sql_password:= sql_database= sql_schema= sql_config_table=multiotp_config sql_cache_table=multiotp_cache sql_ddns_table=multiotp_ddns sql_devices_table=multiotp_devices sql_groups_table=multiotp_groups sql_log_table=multiotp_log sql_stat_table=multiotp_stat sql_tokens_table=multiotp_tokens sql_users_table=multiotp_users sync_delete_retention_days=30 sysl og_facility=7 syslog_level=5 syslog_port=514 syslog_server= tel_default_country_code= timezone=Europe/Zurich token_serial_number_length=12 token_otp_list_of_length=6 verbose_log_prefix= sms_challenge_enabled=0 text_sms_challenge= text_token_challenge= default_2fa_digits=6 default_pin_digits=4 ignore_no_prefix_cp=0 ldap_filter= ldap_without2fa_in_group= log_forced_in_file=0

Comments

  • AndrewAndrew

    There may be a problem with AD size. Ldapsearch gives an error:

    ldapsearch -h 10.10.10.10 -D 'DC=zao-agrokomplex,DC=ru;DC=RTL,DC=zao-agrokomplex,DC=ru;DC=BRCH,DC=zao-agrokomplex,DC=ru' -b 'DC=zao-agrokomplex,DC=ru' # search result search: 2 result: 4 Size limit exceeded # numResponses: 20009 # numEntries: 20000 # numReferences: 8
  • YannJYannJ
    Hello, your LDAP Bind DN must have access to all subdomains. The groups containing the users must exist in the same DN in each subdomains. Best regards
  • AndrewAndrew

    That's right

    I created a test stand.

    Parent domain DN DC=BoLTik,DC=local

    Subdomain DN DC=GROVER,DC=BoLTik,DC=local

    parent access group Boltik-2FA-mOTP

    subdomain access group Grover-2FA-mOT

    settings:

    ./multiotp.php -config default-request-prefix-pin=0 ./multiotp.php -config default-request-ldap-pwd=0 ./multiotp.php -config ldap-server-type=1 ./multiotp.php -config ldap-cn-identifier=userPrincipalName ./multiotp.php -config ldap-group-cn-identifier="sAMAccountName" ./multiotp.php -config ldap-group-attribute="memberOf" ./multiotp.php -config ldap-ssl=0 ./multiotp.php -config ldap-port=389 ./multiotp.php -config ldap-domain-controllers=BLT-SRV-DC01.BoLTik.local,ldap://10.2.10.80:389 ./multiotp.php -config ldap-base-dn="DC=BoLTik,DC=local" ./multiotp.php -config ldap-bind-dn="CN=2FA-srv-motp,OU=service-accounts,OU=Boltik-users,DC=BoLTik,DC=local" ./multiotp.php -config ldap-server-password="Pass@word1" ./multiotp.php -config ldap-in-group="Boltik-2FA-mOTP,Grover-2FA-mOTP" ./multiotp.php -config ldap-network-timeout=10 ./multiotp.php -config ldap-time-limit=30 ./multiotp.php -config ldap-activated=1

    Users are synchronized only from the parent from the Boltik-2FA-mOTP group

  • adminfadminf
    Hello, Using regular RADIUS synchronisation, child domains cannot be synchronized automatically. We will have to develop additional code for that, and it's on the wish list. Regards,
Sign In or Register to comment.

© Vanilla Keystone Theme 2025