Automatic ldap sync not working anymore

chri-bra · December 9, 2022, 12:24pm

CMK version: 2.1.0p16
OS version: Ubuntu 20.04 LTS

Hi there

We have been using CheckMK since version 1.6. In the meantime we are at 2.1.0p16. We have four different LDAP connections. For users, groups and different OUs.

For quite some time (even before the migration to 2.1) the automatic LDAP sync does not work anymore. The time period is set to “every hour”. The synchronization can be triggered manually (via Users - Synchronize Users), which also works without problems. Afterwards the result can be retrieved under “Users - Last synchronization result”. Strangely enough, the hourly synchronization does not work.

I searched the different log files under /opt/omd/sites/sitename/var/log/ for all possible terms (like ldap, user, etc.). And found no clue. Likewise, the keyword ldap does not appear anywhere in the crontab of the siteuser.

Does anyone know this behavior? And does anyone have a solution/suggestion for it?

Best regards
Christian

Anders · December 10, 2022, 1:51pm

Did you upgrade to 2.1 from 1.6? I don’t think automatic LDAP sync have always been in Checkmk (Perhaps it was there in 1.6)

Curios why you have four connections tough. You can accomplish this with one and just use LDAP filters.

chri-bra · December 12, 2022, 10:48am

Hi Anders

Thank you for your reply.

LDAP sync was also in 1.6 with sync interval available. https://docs.checkmk.com/1.6.0/en/ldap.html#_the_synchronisation_interval

We have more connections because we have several base DNs. So a consolidation to one connection is not possible.

Today i did some troubleshooting again. I created a new testsite and copied the content from the user_connections.mk to the new testsite. And the sync is running fine. - Great. Thus, it is not due to the configuration.
There seems to be some other reason why checkmk does not execute the sync-task.

Any other ideas what it could be?

Anders · December 12, 2022, 12:29pm

We are on 1.6 and the automatic sync does not work, but we have been upgraded from 1.5 (where I think this did not exists) and have a separate cron job that syncs ldap users.

But a new site also works fine for us. Perhaps you need to create a new connection and delete the old.

We use just DC in our base DN, but use search filters where we use memberof=CN=[Security groups that should be in scope]

So you only need to be member of a Security Group to be added to Checkmk. If you’re not part of any ot these then you can’t have any roles (They are also part of groups obviously)

chri-bra · December 12, 2022, 4:26pm

I deleted all connections and created only one new. A minimal one. But without success.

Finally I found the setting.
We use distributed monitoring. And the users are synchronized from the master site to the slaves. The slave sites have the configuration “Disable automatic user synchronization (use master site users)”. Someone had also made this setting on the master site. And that’s why it didn’t work anymore.
After I reset the setting to the default “Sync users with all connections”, everything works again.

Thanks for helping with troubleshooting.

Anders · December 17, 2022, 8:18am

Glad you found the problem.
I got the impression that it HAVE worked, but that can’t be true, no one can have been able to login.

system · December 17, 2023, 8:18am

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.