Can not log-in with AD userstore even with policy otppin = userstore

Hello, I am testing right now privacyIdea, in order to get work 2FA with Active Directory over OpenVPN.

My configuration is working as far as I know, unless for Active Directory password authentication method.

  • LDAP and Machines resolvers are connected properly.

  • I’ve followed this topic to setup privacy idea: [privacyIdeaold_Thread (Privacyidea + radius + fortigate)

My problem is that, even with otpping = userstore selected, when I try authenticating, ( AD password + TOTP code concatenated ) it says “wrong otp pin” in the audit log.

While if I try to authenticate with Token Pin Code + TOTP concatenated, it success.

Did I miss something ?

Thanks !

Hello @s0p4L1n
welcome to the privacyIDEA community.

I could be, that the otppin policy which you configured for the LDAP password does not match.

Take a look in the audit log


In the column “action” you can filter for “validate” and you should see the action validate/check of the login attempt.


In the far right column “policies” you will see, which policy matched this authentication attempt.
I guess your policy is not displayed there, so you need to look into your policy.
You might have configured conditions for the policies, that do not match.

Read this:

and then explicitly this:


Hello cornelinux,

After a new checking of my policy and what I setted, I figure it out what was the issue.

I setted the client IP thinking that it was the IP of VPN Server, but no, because it is the FreeRadius itself ( that is the client.

The policy match now, and I can log in with Active Directory password + OTP pin :slight_smile: !!


Thanks for the help !