Troubleshooting openotp
1,429 views
Skip to first unread message
Abdsamad
Mar 2, 2012, 9:47:25 AM3/2/12
to RCDevs Security Solutions - Technical
Hi,
I need to troubleshoot authentification failure on the openotp server,
I can't figure where is the problem
I test with "Test User Login"
which tools / debug options / files can I look to see exactly why my
auth fails, to see in details the whole authentication process ?
I try to look on soapd.log
[Fri Mar 02 15:39:00 2012] [127.0.0.1] [OpenOTP_EB2EE777] Registered
openotpLogin request
[Fri Mar 02 15:39:01 2012] [127.0.0.1] [OpenOTP_EB2EE777] User invalid
or not found in LDAP
[Fri Mar 02 15:39:03 2012] [127.0.0.1] [OpenOTP_EB2EE777] Sent failure
response
[Fri Mar 02 15:39:05 2012] [127.0.0.1] [OpenOTP_42FE84EC] New
openotpStatus SOAP request
[Fri Mar 02 15:39:05 2012] [127.0.0.1] [OpenOTP_42FE84EC] Sent status
response
the radiusd.log and the httpd.log doesn't give much more informations
I tried to launch webadm-sessiond with "-vvv" but I can't see the
authentification process
About the error on soapd.log, I can confirm the user is on the ldap
database, I don't setup a group filter
Thanks a lot for your help
I need to troubleshoot authentification failure on the openotp server,
I can't figure where is the problem
I test with "Test User Login"
which tools / debug options / files can I look to see exactly why my
auth fails, to see in details the whole authentication process ?
I try to look on soapd.log
[Fri Mar 02 15:39:00 2012] [127.0.0.1] [OpenOTP_EB2EE777] Registered
openotpLogin request
[Fri Mar 02 15:39:01 2012] [127.0.0.1] [OpenOTP_EB2EE777] User invalid
or not found in LDAP
[Fri Mar 02 15:39:03 2012] [127.0.0.1] [OpenOTP_EB2EE777] Sent failure
response
[Fri Mar 02 15:39:05 2012] [127.0.0.1] [OpenOTP_42FE84EC] New
openotpStatus SOAP request
[Fri Mar 02 15:39:05 2012] [127.0.0.1] [OpenOTP_42FE84EC] Sent status
response
the radiusd.log and the httpd.log doesn't give much more informations
I tried to launch webadm-sessiond with "-vvv" but I can't see the
authentification process
About the error on soapd.log, I can confirm the user is on the ldap
database, I don't setup a group filter
Thanks a lot for your help
Administrators
Mar 5, 2012, 6:55:22 AM3/5/12
to RCDevs Security Solutions - Technical
Genrally, the 'user not found' is due to invalid domain configuration.
Check that :
1) your user is login in with the right uid/username. The uid is
generally 'uid' attribute on Linux and 'samAccountname' on windows.
2) your user is in a LDAP subtree that corresponds to a WebADM Domain.
Go to Menu->Infos->Registered Domains and check there is a domain
defined which has its 'User Search Base' pointing to a LDAP subtree
containing the user.
3) If the incoming OpenOTP auth request does not explicitely specify a
domain name, the 'OpenOTP Default Domain' is used. Look in Menu-
>Applications->OTP Server and check the Default Domain.
Check that :
1) your user is login in with the right uid/username. The uid is
generally 'uid' attribute on Linux and 'samAccountname' on windows.
2) your user is in a LDAP subtree that corresponds to a WebADM Domain.
Go to Menu->Infos->Registered Domains and check there is a domain
defined which has its 'User Search Base' pointing to a LDAP subtree
containing the user.
3) If the incoming OpenOTP auth request does not explicitely specify a
domain name, the 'OpenOTP Default Domain' is used. Look in Menu-
>Applications->OTP Server and check the Default Domain.
av13
Mar 14, 2012, 8:36:28 AM3/14/12
to RCDevs Security Solutions - Technical
Hi,
I am having the same problem. I checked that 1, 2 and 3 above are
configured well but had no success.
The radtest returns 'invalid username or password' and radiusd.log
says 'rlm_openotp: OpenOTP authentication failed'
Would appreciate your help.
Thanks.
I am having the same problem. I checked that 1, 2 and 3 above are
configured well but had no success.
The radtest returns 'invalid username or password' and radiusd.log
says 'rlm_openotp: OpenOTP authentication failed'
Would appreciate your help.
Thanks.
Administrators
Mar 14, 2012, 8:52:37 AM3/14/12
to rcdevs-t...@googlegroups.com
Test the user auth first from WebADM: Edit the user, go on top-right to OTP Server Actions and do the Login Test.
Then test the authentication without radius: go to /opt/webadm/websrvs/openotp/bin/ and use the authtest command to try to authenticate your user. It should work like in WebADM.Check the logs/soapd.log and paste what you get if it does not work.
Then only, try with the RADIUS.
av13
Mar 14, 2012, 9:55:57 AM3/14/12
to RCDevs Security Solutions - Technical
Thanks for the tip.
user auth from WebADM was successful
authtest was successful as well
soapd.log screenshot availalbe at:
[URL=http://s1169.photobucket.com/albums/r519/av131/?
action=view¤t=screenshot.png][IMG]http://i1169.photobucket.com/
albums/r519/av131/th_screenshot.png[/IMG][/URL]
Thanks in advance!
user auth from WebADM was successful
authtest was successful as well
soapd.log screenshot availalbe at:
[URL=http://s1169.photobucket.com/albums/r519/av131/?
action=view¤t=screenshot.png][IMG]http://i1169.photobucket.com/
albums/r519/av131/th_screenshot.png[/IMG][/URL]
Thanks in advance!
Administrators
Mar 14, 2012, 10:08:33 AM3/14/12
to rcdevs-t...@googlegroups.com
The log shows a success. Try to show your failure instead.
Note: check the configuration of your /opt/radiusd/conf/openotp.conf too.
av13
Mar 14, 2012, 11:00:48 AM3/14/12
to RCDevs Security Solutions - Technical
That's right, authtest works fine. My failure happens when I use
RADIUS, it says ' invalid username or password' as shown in the
screenshot below
http://i1169.photobucket.com/albums/r519/av131/radtest.jpg
Could it be that somehow radiusBridge is not able to communicate well
with the directory via LDAP? I am using MS Active Directory 2008.
The only configurations in openotp.conf are the following:
server_url = "http://127.0.0.1:8080/openotp/"
password_mode = 1 (since I'd like to log in using LDAP only for now,
I will try with OTP once I get the RADIUS bit running)
soap_timeout = 15
Everything else is commented out.
The configuration in clients.conf is as follows:
client 0.0.0.0/0 {
secret = secret
shortname = any
nastype = other
I'm quite new to openOTP and would really appreciate your help.
Thank you.
On Mar 14, 3:08 pm, Administrators <adm...@rcdevs.com> wrote:
> The log shows a success. Try to show your failure instead.
> Note: check the configuration of your /opt/radiusd/conf/openotp.conf too.
>
>
>
> On Wednesday, 14 March 2012 14:55:57 UTC+1, av13 wrote:
>
> > Thanks for the tip.
>
> > user auth from WebADM was successful
> > authtest was successful as well
>
> > soapd.log screenshot availalbe at:
>
> > [URL=http://s1169.photobucket.com/albums/r519/av131/?
> > action=view¤t=screenshot.png][IMG]http://i1169.photobucket.com/
> > albums/r519/av131/th_screenshot.png[/IMG][/URL<http://s1169.photobucket.com/albums/r519/av131/?action=view¤t=s...][IMG]http://i1169.photobucket.com/albums/r519/av131/th_screenshot.png[/IMG][/URL>]
RADIUS, it says ' invalid username or password' as shown in the
screenshot below
http://i1169.photobucket.com/albums/r519/av131/radtest.jpg
Could it be that somehow radiusBridge is not able to communicate well
with the directory via LDAP? I am using MS Active Directory 2008.
The only configurations in openotp.conf are the following:
server_url = "http://127.0.0.1:8080/openotp/"
password_mode = 1 (since I'd like to log in using LDAP only for now,
I will try with OTP once I get the RADIUS bit running)
soap_timeout = 15
Everything else is commented out.
The configuration in clients.conf is as follows:
client 0.0.0.0/0 {
secret = secret
shortname = any
nastype = other
I'm quite new to openOTP and would really appreciate your help.
Thank you.
On Mar 14, 3:08 pm, Administrators <adm...@rcdevs.com> wrote:
> The log shows a success. Try to show your failure instead.
> Note: check the configuration of your /opt/radiusd/conf/openotp.conf too.
>
>
>
> On Wednesday, 14 March 2012 14:55:57 UTC+1, av13 wrote:
>
> > Thanks for the tip.
>
> > user auth from WebADM was successful
> > authtest was successful as well
>
> > soapd.log screenshot availalbe at:
>
> > [URL=http://s1169.photobucket.com/albums/r519/av131/?
> > action=view¤t=screenshot.png][IMG]http://i1169.photobucket.com/
av13
Mar 14, 2012, 11:04:11 AM3/14/12
to RCDevs Security Solutions - Technical
Note: In the radtest results shown below, although the user's
password is pa$$w0rd , in the Access-Request this is somehow changed
to pa3920w0rd which is wrong...
http://i1169.photobucket.com/albums/r519/av131/radtest.jpg
password is pa$$w0rd , in the Access-Request this is somehow changed
to pa3920w0rd which is wrong...
http://i1169.photobucket.com/albums/r519/av131/radtest.jpg
Administrators
Mar 14, 2012, 11:23:23 AM3/14/12
to rcdevs-t...@googlegroups.com
Use radtest administrator 'pa$$wprd' ... with the single quotes
av13
Mar 14, 2012, 12:12:49 PM3/14/12
to RCDevs Security Solutions - Technical
It works, thanks a lot!!
Reply all
Reply to author
Forward
0 new messages