This manual should give you an overview of some common LDAP issues we saw over time.

LAST TESTED ON CHECKMK 2.3.0P1

Table of Contents

You can use this as a checklist for troubleshooting step by step.

User locking is not synchronized properly

Problem

You receive an error message on user synchronization similar to the following:

Synchronization started...
[CONNECTION] Starting sync for connection
[CONNECTION] Exception: The "Authentication Expiration" attribute (pwdlastset) could not be fetched from the LDAP server for user {'cn': ['Lastname, Givenname'], 'samaccountname': ['givenname.lastname'], 'dn': 'cn=lastname\\, givenname (lastname),ou=users,dc=domain,dc=tld'}.
2022-08-10 11:56:01,202 [40] [cmk.web 10815] Exception (CONNECTION, userdb_job): Traceback (most recent call last):
  File "/omd/sites/mysite/lib/python3/cmk/gui/userdb.py", line 1501, in _execute_sync_action
    connection.do_sync(
  File "/omd/sites/mysite/lib/python3/cmk/gui/plugins/userdb/ldap_connector.py", line 1282, in do_sync
    self._execute_active_sync_plugins(user_id, ldap_user, user)
  File "/omd/sites/mysite/lib/python3/cmk/gui/plugins/userdb/ldap_connector.py", line 1369, in _execute_active_sync_plugins
    user.update(plugin.sync_func(self, key, params or {}, user_id, ldap_user, user))
  File "/omd/sites/mysite/lib/python3/cmk/gui/plugins/userdb/ldap_connector.py", line 1941, in sync_func
    raise MKLDAPException(
cmk.gui.plugins.userdb.ldap_connector.MKLDAPException: The "Authentication Expiration" attribute (pwdlastset) could not be fetched from the LDAP server for user {'cn': ['Lastname, Givenname'], 'samaccountname': ['givenname.lastname'], 'dn': 'cn=lastname\\, givenname (lastname),ou=users,dc=domain,dc=tld'}.

Finalizing synchronization

The user synchronization completed successfully.

Reason

In Active Directory, it is possible that a user may not read the attribute pwdLastSet.

Checkmk needs this attribute to synchronize authorization expiration.

So the user Checkmk uses as the bind user needs to be able to read this attribute.

Solution

Connect to your AD and choose the top entity
Right-click and choose Delegate Control
Select the user that Checkmk uses as the bind user
Give the user permission to
- Reset User Password
- Force Password change at next logon
Additionally, Read all user information might be necessary (this is unconfirmed at the time of writing)
Finish the wizard

LDAPs does not work: "Can't contact LDAP server," 'errno': 115

See: LDAPs does not work: "Can't contact LDAP server", 'errno': 115

LDAPs stops working after upgrade from 1.6 to 2.0: "unable to get issuer certificate"

See: LDAPs stops working after upgrade from 1.6 to 2.0: "unable to get issuer certificate"

Related articles

Page:

How-to adjust Checkmk performance
Page:

Error handling with RRD files after conversion to the new format
Page:

Troubleshooting Apache service not starting
Page:

Troubleshooting when fetcher for host HOST times out after X seconds
Page:

Debug Livestatus performance