Cannot get user/group downloading working from AD - how can I enable more logging?

sorry for the lack of formatting. I can't work out how to post anything than a block of text. I'm playing around with MultiOTP on a windows server attempting to set up a 2FA system. Everything went smoothly up to the point of actually downloading the group/users when the system always indicates no updates: ``` C:\MultiOTP\Windows>multiotp -debug -display-log -ldap-users-sync LOG 2024-06-06 09:31:54 debug LDAP Debug: *AD/LDAP synchronization started at 09:31:54 / Memory used: 14.5MB / Peak: 27.1MB LOG 2024-06-06 09:31:54 info LDAP Info: AD/LDAP synchronization started LOG 2024-06-06 09:31:54 debug System Debug: *LDAP cache folder value: C:\Users\ADMIN-~1\AppData\Local\Temp\.ldap_cache/ LOG 2024-06-06 09:31:54 info LDAP Info: No update for the 0 LDAP synced users, based on 1 LDAP entries (processed in 00:00:00) 19 *INFO: Requested operation successfully done ``` As far as I can tell my LDAP connection is correctly configured. I have a single group with a single test user in the group. I've tried adding a new user to the group to see if that provoked any changed but it always indicates 0 ldap synced users If I connect to ldap using an ldap client tool, it works and allows me to see the contents of the group and can browse around the AD objects without any problems. So the account I'm using works fine - its a specially created account. Is there a way to enable verbose logging which will log the tcp open, each message, etc.? I've been over the documentation but can't find anything which will enable detailed debug logging. If I execute multiotp -ldap-check -debug it reports nothing at all, no errors, no warnings.

Comments

  • yes, of course. I stepped through the instructions several times to make sure. The verification commands should indicate if I've made a basic mistake like username or password incorrect, or if the base dn is incorrect, no? If I have a configuration error, what does the multiotp -ldap-check command display? Is there any way to switch on verbose debugging? I've searched and can't find anything.
  • I found the issue, well sort of. If I repeat the same steps using the linux image from your site, I get ldap errors, so it looks like the windows multiotp.exe isn't passing back the errors it enounters
  • Though it still syncronizes 0 users, so theres something more wrong. It needs more debug info to be displayed
  • If you set a group filter (step 13), please make sure the group is located under the Base DN set on step 10.
  • By steps I assume you mean the list on the wiki page on github? https://github.com/multiOTP/multiotp/wiki Yes, the group is in base of the DN specified in step 10. Nothing else, just the name of the group. Both the user accounts and the group in the same dn in active directory, so no need to recurse. It couldn't be any simpler.
  • Hello, is it possible to remotly connect to your system on wednesday afternoon at 14h00 swiss time ? Best regards
Sign In or Register to comment.