[Check_mk (english)] WATO and LDAP - marriage problem

Archive checkmk-en
1

Jim Welch [03.12.2013 20:08]:

Is the check case sensitive?
If so, ufzPersonpwlastchanged <> ufzpersonpwlastchanged.

I do not know. But I do not think so, since LDAP in general is not case
sensitive. Besides, why does check_mk show the value and tell me it
can't be read?

Maybe check_mk expects another time format, but how can I check this?

Werner

BTW, I prefer answers to the list, not as PM.

···

----- Original Message -----
From: "Werner Flamme" <werner.flamme@ufz.de>
To: "checkmk-en@lists.mathias-kettner.de" <checkmk-en@lists.mathias-kettner.de>
Sent: Tuesday, December 3, 2013 9:13:29 AM
Subject: [Check_mk (english)] WATO and LDAP - marriage problem

Hi list,

I try to introduce LDAP authentication to my check_mk/WATO system. After
a while, I found a suitable LDAP filter
"(&(objectclass=posixAccount)(gidNumber=1234))" to enable one LDAP group
to login only.

We use the former SUN LDAP servers to authenticate against, and we have
custom schema extensions, so I had to modify the file
/omd/versions/1.01.20131129/share/check_mk/web/plugins/userdb/ldap.py,
because for some obscure reason it asks for the time the password was
changed last, and we store this in one of our custom parameters.

Before the change, a click on "Users & Contacts" brought an error that
the attribute could not be read. After the change, I get notes

---snip---
Error executing sync hook

The "Authentication Expiration" attribute (ufzPersonpwlastchanged) could
not be fetched from the LDAP server for user {u'mail':
[u'some.one@ufz.de'], u'cn': [u'Some One'], u'uid': [u'someone'],
u'ufzpersonpwlastchanged': [u'20120905124331Z']}.
---pins---

The system is kidding, isn't it? It tells me it can't read the
attribute, but it shows me the value?

What can I do do get the LDAP adapter to work?

Regards,
Werner

--
Werner Flamme, Abt. WKDV
Helmholtz-Zentrum für Umweltforschung GmbH - UFZ
Helmholtz Centre for Environmental Research - UFZ
Permoserstr. 15 - 04318 Leipzig / Germany
Tel./phone: +49 341 235-1921 - Fax +49 341 235-451921
Information nach §§ 37a HGB, 35a GmbHG:
Sitz der Gesellschaft: Leipzig
Registergericht: Amtsgericht Leipzig, Handelsregister Nr. B 4703
Vorsitzender des Aufsichtsrats: MinDirig Wilfried Kraus
Wissenschaftlicher Geschäftsführer: Prof. Dr. Georg Teutsch
(Scientific Managing Director)
Administrative Geschäftsführerin: Dr. Heike Graßmann
(Administrative Managing Director)

2

Werner Flamme [04.12.2013 08:02]:

Jim Welch [03.12.2013 20:08]:

Is the check case sensitive?
If so, ufzPersonpwlastchanged <> ufzpersonpwlastchanged.

I do not know. But I do not think so, since LDAP in general is not case
sensitive. Besides, why does check_mk show the value and tell me it
can't be read?

Maybe check_mk expects another time format, but how can I check this?

As I found in line 458 in
</omd/versions/1.01.20131129/share/check_mk/web/plugins/userdb/ldap.py>,
the content of the file is not parsed, so the format of the timestamp is
not the problem.

As far as I understand the code (but I do not know Python), the
attribute is only for content at all.

Since there are some accounts who still have their initial passwords, I
decided to use the LDAP filter
(&(objectclass=posixAccount)(gidNumber=1234)(ufzpersonpwlastchanged=*))
and the error is gone.

Problem solved :slight_smile:

Werner

···

--