quanta | 28 Jan 12:08 2013
Picon

[Check_mk (english)] Multisite LDAP intregration: cannot disable Authentication Expiration plugin?

Due to this error when clicking on the Users & Contacts link in WATO:
Error executing sync hook
The "Authentication Expiration" attribute (pwdchangedtime) could not be fetchedfrom the LDAP server for user {u'cn': [u'noreply']}.

and since the pwdChangedTime attribute is NOT creating after changing the password (by user via phpLdapPasswd and ldapmodify, not by admin)

dn: cn=noreply,ou=it,dc=domain,dc=com cn: noreply mail: noreply-9IKiO1iGCm/QT0dZR+AlfA@public.gmane.org maildrop: noreply-9IKiO1iGCm/QT0dZR+AlfA@public.gmane.org sn: No uid: noreply objectClass: inetOrgPerson objectClass: mailUser objectClass: organizationalPerson objectClass: person objectClass: top objectClass: pwdPolicy objectClass: pwdPolicyChecker pwdAttribute: userPassword pwdMaxAge: 31536000 pwdMinAge: 60 pwdAllowUserChange: TRUE userPassword: {MD5}xx
I'm going to disable the Authentication Expiration plugin. But I can't do this.

On the web interface, in the LDAP Attribute Sync Plugins: by default, Authentication Expiration is unchecked. Moreover, there is no Save button. If I add `ldap_active_plugins  = {'email'}` into the `/etc/check_mk/multisite.d/wato/global.mk`, I'll get the following error when restarting:

Cannot read configuration file /etc/check_mk/multisite.d/wato/global.mk: invalid syntax (global.mk, line 12):

PS:
# cmk -V
This is check_mk version 1.2.1i5
_______________________________________________
checkmk-en mailing list
checkmk-en@...
http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en
quanta | 29 Jan 04:29 2013
Picon

Re: [Check_mk (english)] Multisite LDAP intregration: cannot disable Authentication Expiration plugin?


On 01/28/2013 06:08 PM, quanta wrote:
Due to this error when clicking on the Users & Contacts link in WATO:
Error executing sync hook
The "Authentication Expiration" attribute (pwdchangedtime) could not be fetchedfrom the LDAP server for user {u'cn': [u'noreply']}.

and since the pwdChangedTime attribute is NOT creating after changing the password (by user via phpLdapPasswd and ldapmodify, not by admin)

dn: cn=noreply,ou=it,dc=domain,dc=com cn: noreply mail: noreply-9IKiO1iGCm/QT0dZR+AlfA@public.gmane.org maildrop: noreply-9IKiO1iGCm/QT0dZR+AlfA@public.gmane.org sn: No uid: noreply objectClass: inetOrgPerson objectClass: mailUser objectClass: organizationalPerson objectClass: person objectClass: top objectClass: pwdPolicy objectClass: pwdPolicyChecker pwdAttribute: userPassword pwdMaxAge: 31536000 pwdMinAge: 60 pwdAllowUserChange: TRUE userPassword: {MD5}xx
Actually, the pwdChangedTime attribute is already created but since it is an operational attribute, it is not returned by default.
You have to do a `ldapsearch` with this name:

$ ldapsearch -x -D "cn=Manager,dc=domain,dc=com" -W "cn=noreply" pwdChangedTime
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: cn=noreply
# requesting: pwdChangedTime
#

# noreply, it, domain.com
dn: cn=noreply,ou=it,dc=domain,dc=com
pwdChangedTime: 20130128154849Z

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

To add this attribute to the all users which are created before implementing Password Policy Overlay, try this:

ldapsearch -x -D cn=Manager,dc=domain,dc=com -W -y .passwd.txt -L "(&(objectclass=person)(!(pwdChangedTime=*)))" userPassword
    | sed '/dn: /a\changetype: modify\nreplace: userPassword'
        | ldapmodify -x -D cn=Manager,dc=domain,dc=com -y .passwd.txt -W
_______________________________________________
checkmk-en mailing list
checkmk-en@...
http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en

Gmane