/
Troubleshooting LDAP issues

Troubleshooting LDAP issues

This manual should give you an overview of some common LDAP issues we saw over time.

LAST TESTED ON CHECKMK 2.3.0P1

Table of Contents

 

You can use this as a checklist for troubleshooting step by step.

User locking is not synchronized properly

Problem

You receive an error message on user synchronization similar to the following:

Synchronization started... [CONNECTION] Starting sync for connection [CONNECTION] Exception: The "Authentication Expiration" attribute (pwdlastset) could not be fetched from the LDAP server for user {'cn': ['Lastname, Givenname'], 'samaccountname': ['givenname.lastname'], 'dn': 'cn=lastname\\, givenname (lastname),ou=users,dc=domain,dc=tld'}. 2022-08-10 11:56:01,202 [40] [cmk.web 10815] Exception (CONNECTION, userdb_job): Traceback (most recent call last): File "/omd/sites/mysite/lib/python3/cmk/gui/userdb.py", line 1501, in _execute_sync_action connection.do_sync( File "/omd/sites/mysite/lib/python3/cmk/gui/plugins/userdb/ldap_connector.py", line 1282, in do_sync self._execute_active_sync_plugins(user_id, ldap_user, user) File "/omd/sites/mysite/lib/python3/cmk/gui/plugins/userdb/ldap_connector.py", line 1369, in _execute_active_sync_plugins user.update(plugin.sync_func(self, key, params or {}, user_id, ldap_user, user)) File "/omd/sites/mysite/lib/python3/cmk/gui/plugins/userdb/ldap_connector.py", line 1941, in sync_func raise MKLDAPException( cmk.gui.plugins.userdb.ldap_connector.MKLDAPException: The "Authentication Expiration" attribute (pwdlastset) could not be fetched from the LDAP server for user {'cn': ['Lastname, Givenname'], 'samaccountname': ['givenname.lastname'], 'dn': 'cn=lastname\\, givenname (lastname),ou=users,dc=domain,dc=tld'}. Finalizing synchronization The user synchronization completed successfully.


Reason

In Active Directory, it is possible that a user may not read the attribute pwdLastSet. Checkmk needs this attribute to synchronize authorization expiration.

So the user Checkmk uses as the bind user needs to be able to read this attribute.


Solution

  1. Connect to your AD and choose the top entity

  2. Right-click and choose Delegate Control

  3. Select the user that Checkmk uses as the bind user

  4. Give the user permission to

    • Reset User Password

    • Force Password change at next logon

  5. Additionally, Read all user information might be necessary (this is unconfirmed at the time of writing)

  6. Finish the wizard


Other issues


Related articles