We are running a distributed setup and using LDAP as our authentication mechanism.
I have a user that tries to login and after 10 failed attempts gets locked in CheckMK - not in LDAP as the user is still able to use the credentials in other services using the same LDAP.
If this was to happen on a local user in CheckMK i can unlock the user. But when it’s an LDAP user I do not have the option.
The only way I have been able to “unlock” the user is to delete the user in CheckMK and have them login again, but then all settings are gone.
What to do?
This is the output from the logs.
2023-10-26 10:26:41,237 [30] [cmk.web.auth 2446433] Login failed for username: test.user (existing: Yes, locked: Yes, failed logins until locked: -25), client: IP
In the LDAP connection there’s a setting “Authentication Expiration” which is enabled by default. This means that the locked/unlocked information is fetched from the LDAP server and cannot be changed manually from within checkmk.
That’s why your Disable password field is read-only.
I would try two things:
re-sync with the LDAP server and see if the login is still locked. Sometimes it’s neccessary to activate changes.
disable the “Authentication Expiration” setting (at least temporarily), re-sync with the LDAP server and then unlock the account manually. I’m not sure if that works, though.
Besides, if the resync doesn’t help, I’d consider this a bug in checkmk. Or some hidden setting which we aren’t aware of.
I disabled the Authentication Expiration in the LDAP config. Then was able to enable the account again, and after that enabled the Authentication Expiration again.
I think I will talk to the support team and have them look at a way of doing this differently.
I could disable “Account Locking” feature in the global settings and let LDAP be the controller of locking the user. But if I do that then local users would be left “unprotected”
Glad to hear my suggestion helped you. Still, the solution is not completely satisfying. Maybe it’s a design flaw or a button unlock now is missing. I don’t know which would be the best solution.
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.
