LDAP Search can't find all users

Hey folks, I’m started to work with CheckMK and need to configure the LDAP.
So first I tested my LDAP queries and works as expected to list users and groups.
But when I tried to test the configurations the test said that have only one user to be synced, currently, the group has 13 users.
So I trying to figure out what is happening here but nothing related to logs help me(Tried to check logs in var/logs/web.log).
Anyone had any clue that can help me to troubleshoot/figure out this?

One point can be nested groups. Are all the users directly members of this group or members of other groups that are inside this group?
Other possible problem is the setting of the “User base DN” if some of the users in your group are not under this part of your AD tree then they will not be found/added.

After checking, I confirmed that users are direct members of this group and the users are part of the AD tree.
Also another things that I discovered here: it’s not possible to filter users using memberof and after trying to use a filter to search one user to be synced the error is showed in var/log/web.log:

cmk.gui.plugins.userdb.ldap_connector.MKLDAPException: The "Authentication Expiration" attribute (pwdlastset) could not be fetched from the LDAP server for user

Any other clues that we can test here @andreas-doehler ?

Hi there,

This might help:

It suggests the error might be the result of a permissions issue. Specifically, that the user that Checkmk uses to bind to AD does not have permission to read the pwdlastset attribute.

A couple of years ago, someone in these forums solved the same error message by disabling Check for expiration:

Hope this helps,
Jason Smyth

1 Like

After trying the tips that @jsmyth sent me, CheckMK was able to synchronize just one user (because I create a filter just with my uid, for testing purposes), but when I try to login with my user using LDAP credentials the login fails.
Checking the logs in var/log/web.log I found this:

2022-09-22 19:10:23,280 [30] [cmk.web.auth 1401718] Login failed for username: myusername

For me looks like the CheckMK is not using LDAP to log in to users, exists any way to check why this is happening?

May you share your LDAP settings here. What kind of LDAP server is used?
Also what do you type in to the user field of the login form?
For AD sAMAccounName is used, so you have to use exact the value of this attribute.
If you use the option ‘Create users only on login’ the user must logon once before it will be synced.
We use checkmk LDAP Sync and auth for almost 2000 Users without any issues.