Resilient MultiOTP devices?

I have a single MultiOTP VM that is synchronising users from AD LDAP via a CRON job. Its all working OK, however I am looking to have a 2nd MultiOTP VM with the same configuration in 2nd location. Is it possible to just backup and restore the configuration to a 2nd VM replicating all the users?


  • edited October 2019
    As the host is an ESXi VM I cloned it to another ESXi host and then changed the clone's IPv4 address. This works for the existing users that were already on the original MultiOTP VM. I have removed the CRON job on the cloned VM that synchronises users from AD. I think I now just need a CRON job to copy the /etc/multiotp/users folder from the 1st host to the 2nd, timed slightly after the 1st host synchronises the AD users. Does this sound right?
  • Hello, that's not too bad if you are in a HA master/slave structure, and you want that the second VM has to be the backup of the first one. This was one of the idea of why to keep a file based backend. If you want a "cluster", you will have to synchronize files in both directions, but this will be a little bit more tricky than the master/slave solution you have implemented. Regards,
  • edited October 2019
    The user base is fairly static so I think a master/slave setup is adequate. I have added the AD synchronisation CRON job on the 'master' to happen daily. I guess I could just amend the script to copy the files immediately after. Just need to brush up on my Unix skills to get the correct CLI for the copying of the files...
  • Sounds good, good scripting :-)
  • edited November 2019
    OK. So I looked into this and it has really just exposed my lack of Linux knowledge and best practises TBH... The MultiOTP virtual appliance image doesn't create any other users than root. SCP copying without interactive login requires you to setup SSH public/private keys, however its the root account and wherever I read stuff logging in over the network using the root account is just not the done thing. So I guess I should create at least one user and use this account, however at this point my lack of Linux skills makes me stop and scratch my head as to what is the best way of doing this? The MultiOTP servers are obviously exposed to the network which I can secure at a network level using ACLs or even firewalls, however it then means administration (if I continue using root) has to be done from specific source IPv4 prefixes which I am not keen on. I therefore then go back to thinking about using a different user? What's the best way of doing this? Currently I just have the two servers with the root account and I am manually copying the user files (/etc/multiotp/users/) from the 'master' to the 'slave' using SCP and then setting the permissions. Thoughts? Oh, and I just updated both of them to the :smile:
This discussion has been closed.