Hey folks, I’m started to work with CheckMK and need to configure the LDAP.
So first I tested my LDAP queries and works as expected to list users and groups.
But when I tried to test the configurations the test said that have only one user to be synced, currently, the group has 13 users.
So I trying to figure out what is happening here but nothing related to logs help me(Tried to check logs in var/logs/web.log).
Anyone had any clue that can help me to troubleshoot/figure out this?
One point can be nested groups. Are all the users directly members of this group or members of other groups that are inside this group?
Other possible problem is the setting of the “User base DN” if some of the users in your group are not under this part of your AD tree then they will not be found/added.
After checking, I confirmed that users are direct members of this group and the users are part of the AD tree.
Also another things that I discovered here: it’s not possible to filter users using memberof and after trying to use a filter to search one user to be synced the error is showed in var/log/web.log:
cmk.gui.plugins.userdb.ldap_connector.MKLDAPException: The "Authentication Expiration" attribute (pwdlastset) could not be fetched from the LDAP server for user
Any other clues that we can test here @andreas-doehler ?
Hi there,
This might help:
https://kb.checkmk.com/display/KB/LDAP
It suggests the error might be the result of a permissions issue. Specifically, that the user that Checkmk uses to bind to AD does not have permission to read the pwdlastset attribute.
A couple of years ago, someone in these forums solved the same error message by disabling Check for expiration:
Hope this helps,
Jason Smyth
1 Like
After trying the tips that @jsmyth sent me, CheckMK was able to synchronize just one user (because I create a filter just with my uid, for testing purposes), but when I try to login with my user using LDAP credentials the login fails.
Checking the logs in var/log/web.log I found this:
2022-09-22 19:10:23,280 [30] [cmk.web.auth 1401718] Login failed for username: myusername
For me looks like the CheckMK is not using LDAP to log in to users, exists any way to check why this is happening?
May you share your LDAP settings here. What kind of LDAP server is used?
Also what do you type in to the user field of the login form?
For AD sAMAccounName is used, so you have to use exact the value of this attribute.
If you use the option ‘Create users only on login’ the user must logon once before it will be synced.
We use checkmk LDAP Sync and auth for almost 2000 Users without any issues.
After some tries and some help from another team that have more experience with LDAP configuration, the config works like expected with CheckMK.
For that I need to add the Group base DN query and the Search filter query too, also I checked the the option ‘Create users only on login’, and now the user can login using your LDAP credentials.
Thanks all for the help.
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.