Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Tip

You can use this as a checklist for troubleshooting step by step.

User locking is not synchronized properly

Problem

You receive an error message on user synchronization similar to the following:

Code Block
languagepy
themeRDark
Synchronization started...
[CONNECTION] Starting sync for connection
[CONNECTION] Exception: The "Authentication Expiration" attribute (pwdlastset) could not be fetched from the LDAP server for user {'cn': ['Lastname, Givenname'], 'samaccountname': ['givenname.lastname'], 'dn': 'cn=lastname\\, givenname (lastname),ou=users,dc=domain,dc=tld'}.
2022-08-10 11:56:01,202 [40] [cmk.web 10815] Exception (CONNECTION, userdb_job): Traceback (most recent call last):
  File "/omd/sites/mysite/lib/python3/cmk/gui/userdb.py", line 1501, in _execute_sync_action
    connection.do_sync(
  File "/omd/sites/mysite/lib/python3/cmk/gui/plugins/userdb/ldap_connector.py", line 1282, in do_sync
    self._execute_active_sync_plugins(user_id, ldap_user, user)
  File "/omd/sites/mysite/lib/python3/cmk/gui/plugins/userdb/ldap_connector.py", line 1369, in _execute_active_sync_plugins
    user.update(plugin.sync_func(self, key, params or {}, user_id, ldap_user, user))
  File "/omd/sites/mysite/lib/python3/cmk/gui/plugins/userdb/ldap_connector.py", line 1941, in sync_func
    raise MKLDAPException(
cmk.gui.plugins.userdb.ldap_connector.MKLDAPException: The "Authentication Expiration" attribute (pwdlastset) could not be fetched from the LDAP server for user {'cn': ['Lastname, Givenname'], 'samaccountname': ['givenname.lastname'], 'dn': 'cn=lastname\\, givenname (lastname),ou=users,dc=domain,dc=tld'}.

Finalizing synchronization

The user synchronization completed successfully.

Reason

In Active Directory, it is possible that a user may not read the attribute pwdLastSet.

...

So the user Checkmk uses as the bind user needs to be able to read this attribute.

Solution

  1. Connect to your AD and choose the top entity

  2. Right-click and choose Delegate Control

  3. Select the user, Checkmk uses as the bind user

  4. Give the user permission to
    • Reset User Password
    • Force Password change at next logon

  5. Additionally, Read all user information might be necessary (this is unconfirmed at the time of writing)

  6. Finish the wizard

LDAPs does not work: "Can't contact LDAP server," 'errno': 115

See: LDAPs does not work: "Can't contact LDAP server", 'errno': 115

LDAPs stops working after upgrade from 1.6 to 2.0: "unable to get issuer certificate"

See: LDAPs stops working after upgrade from 1.6 to 2.0: "unable to get issuer certificate"

Filter by label (Content by label)
showLabelsfalse
max5
spacesKB
showSpacefalse
sortmodified
reversetrue
typepage
cqllabel in ( "troubleshooting" , "ldap" ) and type = "page" and space = "KB"
labelsagent_bakery user_roles_permissions roles user

...