What's Wrong??
  Download PDF

What’s Wrong??

Here we describe how to fix some common errors easily. The first thing to do when a login failed for an unknown reason is to check the log file /opt/webadm/log/webadm.log and find the right log.

1. Invalid Username or Password

[2017-07-21 09:13:16] [127.0.0.1] [OpenOTP:MKRVHYLX] New openotpSimpleLogin SOAP request
[2017-07-21 09:13:16] [127.0.0.1] [OpenOTP:MKRVHYLX] > Username: john@my.company
[2017-07-21 09:13:16] [127.0.0.1] [OpenOTP:MKRVHYLX] > Password: xxxxxx
[2017-07-21 09:13:16] [127.0.0.1] [OpenOTP:MKRVHYLX] > Client ID: RadTest
[2017-07-21 09:13:16] [127.0.0.1] [OpenOTP:MKRVHYLX] > Options: RADIUS,-U2F
[2017-07-21 09:13:16] [127.0.0.1] [OpenOTP:MKRVHYLX] Registered openotpSimpleLogin request
[2017-07-21 09:13:16] [127.0.0.1] [OpenOTP:MKRVHYLX] User invalid or not found
[2017-07-21 09:13:17] [127.0.0.1] [OpenOTP:MKRVHYLX] Sent failure response

In this case, you probably try to authenticate with the user john from my.company domain. But OpenOTP receives john@my.company as the username and not john .

If you use Active Directory, john@my.company should be the Principale Name (UPN or userprincipalname). You can verify it directly by selecting the user in WebADM.

In other cases, you need to separate the user and domain. For a radius authentication, you can define the separator in /opt/radiusd/conf/openotp.conf.

[2017-07-21 09:58:15] [127.0.0.1] [OpenOTP:EFLUO5JH] New openotpSimpleLogin SOAP request
[2017-07-21 09:58:15] [127.0.0.1] [OpenOTP:EFLUO5JH] > Username: john
[2017-07-21 09:58:15] [127.0.0.1] [OpenOTP:EFLUO5JH] > Domain: my.company
[2017-07-21 09:58:15] [127.0.0.1] [OpenOTP:EFLUO5JH] > Password: xxxxxxx
[2017-07-21 09:58:15] [127.0.0.1] [OpenOTP:EFLUO5JH] > Client ID: RadTest
[2017-07-21 09:58:15] [127.0.0.1] [OpenOTP:EFLUO5JH] > Options: RADIUS,-U2F
[2017-07-21 09:58:15] [127.0.0.1] [OpenOTP:EFLUO5JH] Registered openotpSimpleLogin request
[2017-07-21 09:58:15] [127.0.0.1] [OpenOTP:EFLUO5JH] Domain 'my.company' not existing or disabled
[2017-07-21 09:58:15] [127.0.0.1] [OpenOTP:EFLUO5JH] User invalid or not found
[2017-07-21 09:58:16] [127.0.0.1] [OpenOTP:EFLUO5JH] Sent failure response

Now, OpenOTP is not able to find the domain. We need to check Local Domains in WebADM. We have two possibilities: we create a new local domain with my.company as Common Name in WebADM or we configure an existing local domain by adding a Domain Name Aliases.

[2017-07-21 10:08:02] [127.0.0.1] [OpenOTP:TAFRV6O4] New openotpSimpleLogin SOAP request
[2017-07-21 10:08:02] [127.0.0.1] [OpenOTP:TAFRV6O4] > Username: john
[2017-07-21 10:08:02] [127.0.0.1] [OpenOTP:TAFRV6O4] > Domain: my.company
[2017-07-21 10:08:02] [127.0.0.1] [OpenOTP:TAFRV6O4] > Password: xxxxxx
[2017-07-21 10:08:02] [127.0.0.1] [OpenOTP:TAFRV6O4] > Client ID: RadTest
[2017-07-21 10:08:02] [127.0.0.1] [OpenOTP:TAFRV6O4] > Options: RADIUS,-U2F
[2017-07-21 10:08:02] [127.0.0.1] [OpenOTP:TAFRV6O4] Registered openotpSimpleLogin request
[2017-07-21 10:08:02] [127.0.0.1] [OpenOTP:TAFRV6O4] User invalid or not found
[2017-07-21 10:08:03] [127.0.0.1] [OpenOTP:TAFRV6O4] Sent failure response

It still doesn’t work but I’m sure that the user john exists in LDAP. We need to check that the user is activated and that the distinguished name of the user contains the User Search Base of the local domain in WebADM.

2. Account Missing Required Data

[2017-07-21 17:08:02] [127.0.0.1] [OpenOTP:56EQIEF9] New openotpNormalLogin SOAP request
[2017-07-21 17:08:02] [127.0.0.1] [OpenOTP:56EQIEF9] > Username: john
[2017-07-21 17:08:02] [127.0.0.1] [OpenOTP:56EQIEF9] > Domain: Default
[2017-07-21 17:08:02] [127.0.0.1] [OpenOTP:56EQIEF9] > LDAP Password: xxxxxx
[2017-07-21 17:08:02] [127.0.0.1] [OpenOTP:56EQIEF9] > Client ID: OpenOTP
[2017-07-21 17:08:02] [127.0.0.1] [OpenOTP:56EQIEF9] > Source IP: 192.168.1.155
[2017-07-21 17:08:02] [127.0.0.1] [OpenOTP:56EQIEF9] > Context ID: f7e839eaeea6e2d91cd9163f6669064e
[2017-07-21 17:08:02] [127.0.0.1] [OpenOTP:56EQIEF9] Registered openotpNormalLogin request
[2017-07-21 17:08:02] [127.0.0.1] [OpenOTP:56EQIEF9] Resolved LDAP user: cn=john,ou=aze,o=Root
[2017-07-21 17:08:02] [127.0.0.1] [OpenOTP:56EQIEF9] Started transaction lock for user
[2017-07-21 17:08:02] [127.0.0.1] [OpenOTP:56EQIEF9] Found 37 user settings: LoginMode=LDAPOTP,OTPType=TOKEN,OTPLength=6,ChallengeMode=Yes,ChallengeTimeout=90,EnableLogin=Yes,AppKeyLength=20,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,MOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,LastOTPTime=300,ListChallengeMode=ShowID
[2017-07-21 17:08:02] [127.0.0.1] [OpenOTP:56EQIEF9] User has no OTP token registered
[2017-07-21 17:08:02] [127.0.0.1] [OpenOTP:56EQIEF9] No usable login method found
[2017-07-21 17:08:03] [127.0.0.1] [OpenOTP:56EQIEF9] Sent failure response

In this case, LoginMode is set to LDAPOTP, but no OTP is registered with that user. We just need to register a new OTP token for that user.

3. Wrong OTP Password

[2017-07-23 08:59:21] [127.0.0.1] [OpenOTP:FGXEI1EK] New openotpNormalLogin SOAP request
[2017-07-23 08:59:21] [127.0.0.1] [OpenOTP:FGXEI1EK] > Username: john
[2017-07-23 08:59:21] [127.0.0.1] [OpenOTP:FGXEI1EK] > Domain: Default
[2017-07-23 08:59:21] [127.0.0.1] [OpenOTP:FGXEI1EK] > LDAP Password: xxxxxx
[2017-07-23 08:59:21] [127.0.0.1] [OpenOTP:FGXEI1EK] > OTP Password: xxxxxx
[2017-07-23 08:59:21] [127.0.0.1] [OpenOTP:FGXEI1EK] > Client ID: OpenOTP
[2017-07-23 08:59:21] [127.0.0.1] [OpenOTP:FGXEI1EK] > Source IP: 192.168.1.155
[2017-07-23 08:59:21] [127.0.0.1] [OpenOTP:FGXEI1EK] > Context ID: 256a7da6650854cdb04de8cfe86b4e0e
[2017-07-23 08:59:21] [127.0.0.1] [OpenOTP:FGXEI1EK] Registered openotpNormalLogin request
[2017-07-23 08:59:21] [127.0.0.1] [OpenOTP:FGXEI1EK] Resolved LDAP user: cn=john,ou=aze,o=Root (cached)
[2017-07-23 08:59:21] [127.0.0.1] [OpenOTP:FGXEI1EK] Started transaction lock for user
[2017-07-23 08:59:21] [127.0.0.1] [OpenOTP:FGXEI1EK] Found 37 user settings: LoginMode=LDAPOTP,OTPType=TOKEN,OTPLength=6,ChallengeMode=Yes,ChallengeTimeout=90,EnableLogin=Yes,AppKeyLength=20,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,MOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,LastOTPTime=300,ListChallengeMode=ShowID
[2017-07-23 08:59:21] [127.0.0.1] [OpenOTP:FGXEI1EK] Found 6 user data: LoginCount,RejectCount,TokenType,TokenKey,TokenState,TokenOffset
[2017-07-23 08:59:21] [127.0.0.1] [OpenOTP:FGXEI1EK] Found 1 registered OTP token (TOTP)
[2017-07-23 08:59:21] [127.0.0.1] [OpenOTP:FGXEI1EK] Requested login factors: LDAP & OTP
[2017-07-23 08:59:21] [127.0.0.1] [OpenOTP:FGXEI1EK] LDAP password Ok
[2017-07-23 08:59:21] [127.0.0.1] [OpenOTP:FGXEI1EK] Wrong TOTP password (token #1)
[2017-07-23 08:59:21] [127.0.0.1] [OpenOTP:FGXEI1EK] Updated user data
[2017-07-23 08:59:22] [127.0.0.1] [OpenOTP:FGXEI1EK] Sent failure response

I’m sure that I use the right OTP, but it doesn’t work. The OTP is probably desynchronized. We can resynchronize it via a web app or in WebADM.

4. “Could not modify LDAP object”

If your webadm.log has an error message similar to the one below, the issue is that the proxy_user does not have sufficient permissions to the LDAP/Active Directory user which is authenticating.

[2018-10-16 11:20:04] [10.10.0.3] [OpenOTP:L9RLQWCV] Could not modify LDAP object 'CN=John Doe,OU=Information Technology,OU=Business,DC=com' (Insufficient access)
[2018-10-16 11:20:04] [10.10.0.3] [OpenOTP:L9RLQWCV] Could not set user data for 'CN=John Doe,OU=Information Technology,OU=Business,DC=com'

Please refer to the Proxy User Rights on MS Active Directory for instructions on how to set the access rights for the proxy user in AD.

5. ___(nothing)

I don’t find the authentication in the log ???.

It just means that OpenOTP receives nothing.

We can verify if by listing webadm ports with tcpdump -i any port 8080 or port 8443 during the authentication.

For a radiusd authentication with radiusd, we can verify with tcpdump -i any port 1812. For an ldap authentication with ldproxy, we can verify with tcpdump -i any port 389 or port 636.

If the result is empty, we check that the port is open from the client. We can use telnet <webadm server> <port number>.

If it doesn’t respond we have to check firewall rules (don’t forget the local firewall on the server) and routing.