Investigate login attempt: how do I find LDAP Login User?

CMK version: 2.1.0p12
OS version: CentOS 7

Error message: [SAL_ldap] Exception: The “Authentication Expiration” attribute (krbpasswordexpiration) could not be fetched from the LDAP server for user {‘uid’: [‘xxxx’], ‘cn’: [‘xxxx
yyyy’], ‘mail’: [‘xxx@silicon-austria.com’], ‘dn’: ‘uid=xxxx,cn=users,cn=accounts,dc=research,dc=silicon-austria,dc=com’}.
More information can be found in ~/var/log/web.log

This messages appears every minute in the web.log

As this specific logged user is a disabled, old LDAP User (he left the company already), I want to know if there is a way to see where this attempts are coming from (ip address eg.)?

Of course I know I have linux tools available, but can I get more out of checkmk for that login attempts?

Thanks!

I think this message is not related to the user actually trying to log in, but rather Checkmk not being able to synchronize the user properly. I have seen this in the past but cannot remember how to solve this.
It was some permission issue - I think - in AD, where Checkmk was not allowed to read the “Authentication Expiration” attribute.

Is really ActiveDirectory the LDAP Provider?
At least in our AD we dont have the attribut ’ krbpasswordexpiration’ in user objects available.
The default attribute in checkmk 2.0 LDAP connection is ‘pwdlastset’:

thanks for your reply and help.

I took a closer look at the LDAP connection settings now.
In general we have FreeIPA configured :
image

and also I had this setting before (this was configured out-of-the-box):
image

1st I tried mike1098 suggestion:
image

but this resulted in:
“The “Authentication Expiration” attribute (pwdlastset) could not be fetched from the LDAP server …”

so I disabled this completely now:
image

and now it’s silent. The log message doesn’t appear anymore.

But at the end I’m asking myself: why does it log this attribute especially with a specific user? What is going on automatically with checkmk in a ~1 minute rythm regarding the LDAP query?

You may consult your schema of your LDAP environment to see what attributes are available in general.
You can use a LDAP browser to see the attributes of an LDAP object.
I preferer LDAP Browser from Softerra.
Maybe someone removed this attribute from this specific object or its removed by default for disabled users.

As suggested already, you need to understand, why the attribute does not work.
The error message just arises on some user, but the last time I saw it, was a general problem.

Be careful though: Disabling the “Authentication Expiration” will leave users able to log into Checkmk, even after being deactivated in LDAP.

The user clearly shows they are using 389 directory server so I guess that’s a no :slight_smile:

RU sure?

https://directory.fedoraproject.org/docs/389ds/design/password-controls.html

Yes, because when Checkmk does not look at that attribute for synchronization, how would it know, that the user account is locked/disabled?

In case a user logon, checkmk is doing a bind with the user credentials. If the bind is not successful he cannot logon.
See the link I sent above: