Hi
Thanks for the discussion pointer at R1.
But my goal is to pre-create user from ldap connection(MS AD) and assign those account with admin role.
WHY: To save some time on back-and-forth login confirmation and GUI opts.
R1: [Check_mk (english)] How do I create a new user from the command line?
User from LDAP connections are synced in full prior to login if you do not disable that setting.
That means they also get their role assigned.
It might be necessary though to restart the core after a successful synchronization, so the contacts get applied.
I found auto sync all the users(around 20K) from ldap connection will slow down the cmk cre 1.6 GUI operation overall.
So I disabled it and only create cmk user upon first login. but I have dozens of admin accounts hoping to pre-create for them.
Hi T.J.,
if your admin accounts are in a separat group or you have another way to filter for them:
you can create two almost identical ldap connections with the same ldap source, but with different user search filters. And then for your ldap connection with the few admin users, you create all users immediately, while for the other ldap connection, you create users only on first login.
Gerd
Or just use proper filters in the first place, because I assume your 20k users are not all using your monitoring, right?
Thanks to @robin.gierse and @gstolz. Filling out all that fields for ldap connection config is a challenge so I picked the most relaxed filter to pull in so many unwanted users. This is a good idea, I will invest time on finding the correct, narrowed-down filter for ldap connection targeting admin AD group or a smaller sub tree.
Believe me, I know the pain and frustration in building LDAP Queries, but in the end the results are worth it. Best of luck to you! 
By far, checkmk ldap connection GUI module is the best implementation I have seen. Love the “save&test” button and clone existing ones. 
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.