Using multiple MS AD domains with 1 OpenOTP server

[Ruben Giaccotto]

Hi all,

This question is asked before on this forum, but I can't find a real answer for my situation.

I have multiple MS AD domains, each in it's own forest. During the setup I used Domain A as the default domain. This is working well. Users from this domain can login using LDAP and OTP.

For the other domains I've created:

1. Mountpoints
2. Domains

Each domain is configured with the corresponding mountpoint. The schema's for all domains have been updated, and through the mountpoints I can configure users for OTP. Testing a user login from WebAdm works fine too, as long as I select the corresponding domain in stead of the default domain.

So far so good.

The problem however is that when a user logs in (using his UPN) only the default domain is checked with an LDAP query. This results in the error "User invalid or not found" when the user is not part of the default domain. I assumed that the domain part of the UPN (user@domainB.local) was used to match any configured domains, but is doesn't. The techinical documentation is not very clear on this setup.

Is there something I am doing wrong, or are there some product limitations here?

Thanks for your help!

Regards,

Ruben

[Spyridon Gouliarmis (RCDevs)]

The domain that contains that "not found" user should have as base the right mount point (or a subtree thereof), and should have "domainB.local" (the DNS name) and "DOMAINB" (the NetBIOS name) as name or alias. Is it the case?

[Ruben Giaccotto]

Yes that is the case. I added an alias to the domain for the NetBIOS name but that didn't change anything. I also tried to select a subtree of the mountpoint, there where this specific test user is situated but again the same error message.

[2016-02-25 10:57:03] [127.0.0.1] [OpenOTP:594A3384] New openotpSimpleLogin SOAP request
[2016-02-25 10:57:03] [127.0.0.1] [OpenOTP:594A3384] > Username: tes...@domainb.local
[2016-02-25 10:57:03] [127.0.0.1] [OpenOTP:594A3384] > Password: xxxxxx
[2016-02-25 10:57:03] [127.0.0.1] [OpenOTP:594A3384] > Client ID: 192.168.10.20
[2016-02-25 10:57:03] [127.0.0.1] [OpenOTP:594A3384] > Options: -U2F
[2016-02-25 10:57:03] [127.0.0.1] [OpenOTP:594A3384] Registered openotpSimpleLogin request
[2016-02-25 10:57:04] [127.0.0.1] [OpenOTP:594A3384] User invalid or not found
[2016-02-25 10:57:05] [127.0.0.1] [OpenOTP:594A3384] Sent failure response

[Spyridon Gouliarmis (RCDevs)]

What is sending the requests to OpenOTP? Is it our credential provider?

[Ruben Giaccotto]

There is a Citrix Netscaler in front of the OTP server. This Netscaler uses LDAP to the domain controller for primary authentication and has an LDAP connection to the OTP server as secundary authentication.

[Spyridon Gouliarmis (RCDevs)]

OpenOTP is probably trying to find your user in it's default WebADM domain, but WebADM, when looking through one of its domains, does not follow mount points. Try setting the user search base of your "domain.local" WebADM domain to something *below* the right mount point, and set ups_domain = yes in /opt/radiusd/conf/openotp.conf, so that radiusd tells WebADM to look at the right domain for each user.

[Ruben Giaccotto]

That's it! upn_domain did the trick. Didn't had to change the search base of the default domain.
Thanks a lot!