Troubleshooting LDAP issues

Owned by Robin Gierse
Last updated: Dec 11, 2023 by Matthew Hierholzer
2 min read

This manual should give you an overview of some common LDAP issues we saw over time.

LAST TESTED ON CHECKMK 2.0.0P1

Table of Contents


You can use this as a checklist for troubleshooting step by step.

User locking is not synchronized properly

Problem

You receive an error message on user synchronization similar to the following:

Synchronization started...
[CONNECTION] Starting sync for connection
[CONNECTION] Exception: The "Authentication Expiration" attribute (pwdlastset) could not be fetched from the LDAP server for user {'cn': ['Lastname, Givenname'], 'samaccountname': ['givenname.lastname'], 'dn': 'cn=lastname\\, givenname (lastname),ou=users,dc=domain,dc=tld'}.
2022-08-10 11:56:01,202 [40] [cmk.web 10815] Exception (CONNECTION, userdb_job): Traceback (most recent call last):
  File "/omd/sites/mysite/lib/python3/cmk/gui/userdb.py", line 1501, in _execute_sync_action
    connection.do_sync(
  File "/omd/sites/mysite/lib/python3/cmk/gui/plugins/userdb/ldap_connector.py", line 1282, in do_sync
    self._execute_active_sync_plugins(user_id, ldap_user, user)
  File "/omd/sites/mysite/lib/python3/cmk/gui/plugins/userdb/ldap_connector.py", line 1369, in _execute_active_sync_plugins
    user.update(plugin.sync_func(self, key, params or {}, user_id, ldap_user, user))
  File "/omd/sites/mysite/lib/python3/cmk/gui/plugins/userdb/ldap_connector.py", line 1941, in sync_func
    raise MKLDAPException(
cmk.gui.plugins.userdb.ldap_connector.MKLDAPException: The "Authentication Expiration" attribute (pwdlastset) could not be fetched from the LDAP server for user {'cn': ['Lastname, Givenname'], 'samaccountname': ['givenname.lastname'], 'dn': 'cn=lastname\\, givenname (lastname),ou=users,dc=domain,dc=tld'}.

Finalizing synchronization

The user synchronization completed successfully.

Reason

In Active Directory, it is possible that a user may not read the attribute pwdLastSet.

Checkmk needs this attribute to synchronize authorization expiration.

So the user Checkmk uses as the bind user needs to be able to read this attribute.

Solution

  1. Connect to your AD and choose the top entity

  2. Right-click and choose Delegate Control

  3. Select the user, Checkmk uses as the bind user

  4. Give the user permission to
    • Reset User Password
    • Force Password change at next logon

  5. Additionally, Read all user information might be necessary (this is unconfirmed at the time of writing)

  6. Finish the wizard

LDAPs does not work: "Can't contact LDAP server," 'errno': 115

See: LDAPs does not work: "Can't contact LDAP server", 'errno': 115

LDAPs stops working after upgrade from 1.6 to 2.0: "unable to get issuer certificate"

See: LDAPs stops working after upgrade from 1.6 to 2.0: "unable to get issuer certificate"