Error message: [SAL_ldap] Exception: The “Authentication Expiration” attribute (krbpasswordexpiration) could not be fetched from the LDAP server for user {‘uid’: [‘xxxx’], ‘cn’: [‘xxxx
yyyy’], ‘mail’: [‘xxx@silicon-austria.com’], ‘dn’: ‘uid=xxxx,cn=users,cn=accounts,dc=research,dc=silicon-austria,dc=com’}.
More information can be found in ~/var/log/web.log
This messages appears every minute in the web.log
As this specific logged user is a disabled, old LDAP User (he left the company already), I want to know if there is a way to see where this attempts are coming from (ip address eg.)?
Of course I know I have linux tools available, but can I get more out of checkmk for that login attempts?
I think this message is not related to the user actually trying to log in, but rather Checkmk not being able to synchronize the user properly. I have seen this in the past but cannot remember how to solve this.
It was some permission issue - I think - in AD, where Checkmk was not allowed to read the “Authentication Expiration” attribute.
Is really ActiveDirectory the LDAP Provider?
At least in our AD we dont have the attribut ’ krbpasswordexpiration’ in user objects available.
The default attribute in checkmk 2.0 LDAP connection is ‘pwdlastset’:
I took a closer look at the LDAP connection settings now.
In general we have FreeIPA configured :
and also I had this setting before (this was configured out-of-the-box):
1st I tried mike1098 suggestion:
but this resulted in: “The “Authentication Expiration” attribute (pwdlastset) could not be fetched from the LDAP server …”
so I disabled this completely now:
and now it’s silent. The log message doesn’t appear anymore.
But at the end I’m asking myself: why does it log this attribute especially with a specific user? What is going on automatically with checkmk in a ~1 minute rythm regarding the LDAP query?
You may consult your schema of your LDAP environment to see what attributes are available in general.
You can use a LDAP browser to see the attributes of an LDAP object.
I preferer LDAP Browser from Softerra.
Maybe someone removed this attribute from this specific object or its removed by default for disabled users.
As suggested already, you need to understand, why the attribute does not work.
The error message just arises on some user, but the last time I saw it, was a general problem.
Be careful though: Disabling the “Authentication Expiration” will leave users able to log into Checkmk, even after being deactivated in LDAP.
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.