AD users of child domains are not synchronized

AndrewAndrew
in General

Good day.

The service is deployed on the MS hypervisor image multiOTP-open-source-hyperv-5.9.0.3. Updated to version 5.9.9.1 .

Synchronization is configured with the AD main domain zao-agrokomplex.ru. Everything works fine. Clients are synchronized. Users log in to RDP and locally with 2FA. Everything works fine.

But the problem is that there are subdomains RTL.zao-agrokomplex.ru and BRCH.zao-agrokomplex.ru. And users are not synchronized from these child domains.

I tried adding them to one common universal security group of the parent domain. There are no new users during synchronization. I also tried specifying security groups of child domains. The problem with synchronization is still there are no new users.

I specified child DN addresses in "ldap_users_dn". Also to no avail. The logs only show this:

info LDAP Info: No update for the 19 LDAP synced users, based on 22 LDAP entries (processed in 00:00:32)

Please tell me how to correctly configure multiOTP in a Multi-Domain environment?

Here is the multitop.ini setting

./multiotp.php -config multiple-groups=1 encryption_hash= XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX log=1 actual_version=5.9.9.1 admin_password_hash:=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX anonymous_stat=1 anonymous_stat_last_update=1739180575 anonymous_stat_random_id=bf1a00eccdad7abc033240359cda6ba160263447 attributes_to_encrypt= auto_resync=1 backend_encoding=UTF-8 backend_type=files backend_type_validated=0 cache_data=0 cache_ldap_hash=1 case_sensitive_users=0 challenge_response_enabled=0 clear_otp_attribute= console_authentication=0 create_host=multiotp create_time=1739180574 debug=0 default_algorithm=totp default _dialin_ip_mask= default_user_group= default_request_ldap_pwd=0 default_request_prefix_pin=0 demo_mode=0 developer_mode=0 display_log=0 domain_name= email_admin_address= email_code_allowed=0 email_code_timeout=600 email_digits=6 encode_file_id=0 encryption_key_full_path= failure_delayed_time=300 group_attribute=Filter-Id hash_salt_full_path= issuer=multiOTP language=en last_failed_white_delay=60 last_sync_update=0 las t_sync_update_host= last_update=1739257821 last_update_host=multiotp ldap_expired_password_valid=1 ldap_account_suffix=@zao-agrokomplex.ru ldap_activated=1 ldap_base_dn=DC=zao-agrokomplex,DC=ru ldap_bind_dn=2FA-srv-motp ldap_cache_folder= ldap_cache_on=1 ldap_cn_identifier=sAMAccountName ldap_default_algorithm=totp ldap_domain_controllers=srv-dc01.zao-agrokomplex.ru,ldaps://10.10.10.10:636 ldap_group_attribute=memberO f ldap_group_cn_identifier=sAMAccountName ldap_users_dn=DC=zao-agrokomplex,DC=ru;DC=RTL,DC=zao-agrokomplex,DC=ru;DC=BRCH,DC=zao-agrokomplex,DC=ru ldap_hash_cache_time=604800 ldap_in_group=gr-agr-2FA-mOTP,RETAIL-2FA-mOTP ldap_language_attribute=preferredLanguage ldap_network_timeout=60 ldap_port=636 ldap_recursive_cache_only=0 ldap_recursive_groups=3 ldap_server_password:=xxxxxxxxxxxxxxxxxxxxxxxxxxxx ldap_server_type=1 ldap_ssl=1 ldap_synced_user_attribute= ldap_time_limit=600 ldaptls_reqcert= ldaptls_cipher_suite= max_block_failures=6 max_delayed_failures=3 max_event_resync_window=10000 max_event_window=100 max_time_resync_window=90000 max_time_window=600 multiple_groups=0 ntp_server=10.0.200.80 overwrite_request_ldap_pwd=1 radius_error_reply_message=1 radius_reply_attributor= += radius_reply_separator_hex=2c radius_tag_prefix= scratch_passwords_digits=6 scratch_passwords_amount=10 self_registration=1 server_cache_level=1 server_cache_lifetime=15552000 server_secret:=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX server_timeout=10 server_type= server_url= sms_api_id:= sms_basic_auth=0 sms_code_allowed=1 sms_content_encoding= sms_content_success= sms_digits= 6 sms_encoding= sms_header= sms_international_format=0 sms_ip= sms_message_prefix= sms_method= sms_no_double_zero=0 sms_originator=multiOTP sms_password:= sms_port= sms_provider= sms_send_template= sms_status_success= sms_timeout=180 sms_url= sms_userkey:= smtp_auth=0 smtp_password:= smtp_port=25 smtp_sender= smtp_sender_name= smtp_server= smtp_ssl=0 smtp_username= sql_ser ver= sql_username= sql_password:= sql_database= sql_schema= sql_config_table=multiotp_config sql_cache_table=multiotp_cache sql_ddns_table=multiotp_ddns sql_devices_table=multiotp_devices sql_groups_table=multiotp_groups sql_log_table=multiotp_log sql_stat_table=multiotp_stat sql_tokens_table=multiotp_tokens sql_users_table=multiotp_users sync_delete_retention_days=30 sysl og_facility=7 syslog_level=5 syslog_port=514 syslog_server= tel_default_country_code= timezone=Europe/Zurich token_serial_number_length=12 token_otp_list_of_length=6 verbose_log_prefix= sms_challenge_enabled=0 text_sms_challenge= text_token_challenge= default_2fa_digits=6 default_pin_digits=4 ignore_no_prefix_cp=0 ldap_filter= ldap_without2fa_in_group= log_forced_in_file=0

Comments

  • AndrewAndrew

    There may be a problem with AD size. Ldapsearch gives an error:

    ldapsearch -h 10.10.10.10 -D 'DC=zao-agrokomplex,DC=ru;DC=RTL,DC=zao-agrokomplex,DC=ru;DC=BRCH,DC=zao-agrokomplex,DC=ru' -b 'DC=zao-agrokomplex,DC=ru' # search result search: 2 result: 4 Size limit exceeded # numResponses: 20009 # numEntries: 20000 # numReferences: 8
Sign In or Register to comment.

© Vanilla Keystone Theme 2025