...
Tip |
---|
You can use this as a checklist for troubleshooting step by step. |
User locking is not synchronized properly
Problem
You receive an error message on user synchronization similar to the following:
Code Block | ||||
---|---|---|---|---|
| ||||
Synchronization started... [CONNECTION] Starting sync for connection [CONNECTION] Exception: The "Authentication Expiration" attribute (pwdlastset) could not be fetched from the LDAP server for user {'cn': ['Lastname, Givenname'], 'samaccountname': ['givenname.lastname'], 'dn': 'cn=lastname\\, givenname (lastname),ou=users,dc=domain,dc=tld'}. 2022-08-10 11:56:01,202 [40] [cmk.web 10815] Exception (CONNECTION, userdb_job): Traceback (most recent call last): File "/omd/sites/mysite/lib/python3/cmk/gui/userdb.py", line 1501, in _execute_sync_action connection.do_sync( File "/omd/sites/mysite/lib/python3/cmk/gui/plugins/userdb/ldap_connector.py", line 1282, in do_sync self._execute_active_sync_plugins(user_id, ldap_user, user) File "/omd/sites/mysite/lib/python3/cmk/gui/plugins/userdb/ldap_connector.py", line 1369, in _execute_active_sync_plugins user.update(plugin.sync_func(self, key, params or {}, user_id, ldap_user, user)) File "/omd/sites/mysite/lib/python3/cmk/gui/plugins/userdb/ldap_connector.py", line 1941, in sync_func raise MKLDAPException( cmk.gui.plugins.userdb.ldap_connector.MKLDAPException: The "Authentication Expiration" attribute (pwdlastset) could not be fetched from the LDAP server for user {'cn': ['Lastname, Givenname'], 'samaccountname': ['givenname.lastname'], 'dn': 'cn=lastname\\, givenname (lastname),ou=users,dc=domain,dc=tld'}. Finalizing synchronization The user synchronization completed successfully. |
Reason
In Active Directory, it is possible that a user may not read the attribute pwdLastSet.
...
So the user Checkmk uses as the bind user needs to be able to read this attribute.
Solution
- Connect to your AD and choose the top entity
- Right-click and choose Delegate Control
- Select the user, Checkmk uses as the bind user
- Give the user permission to
- Reset User Password
- Force Password change at next logon
- Additionally, Read all user information might be necessary (this is unconfirmed at the time of writing)
- Finish the wizard
LDAPs does not work: "Can't contact LDAP server," 'errno': 115
LDAPs stops working after upgrade from 1.6 to 2.0: "unable to get issuer certificate"
See: LDAPs stops working after upgrade from 1.6 to 2.0: "unable to get issuer certificate"
Related articles
Filter by label (Content by label) | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...