I'm going to integrate the check_mk's Multisite with OpenLDAP. After configuring the LDAP connector, I get the following error when opening the "Users & Contacts" page:
Error executing sync hook
The "Authentication Expiration" attribute (pwdchangedtime) could not
be fetchedfrom the LDAP server for user {u'cn': [u'noreply']}.
Here're all the steps that I've done to implement the Password Policy Overlay:
Install overlay modules for OpenLDAP server:
yum install openldap-servers-overlays
Add the following lines to /etc/openldap/slapd.conf:
include /etc/openldap/schema/ppolicy.schema
modulepath /usr/lib64/openldap
moduleload ppolicy.la
then I restart the OpenLDAP and try to change the password. I'm sure it's changed successfully but I don't see the pwdChangedTime
attribute when running a ldapsearch
:
$ ldapsearch -x -D "cn=Manager,dc=domain,dc=com" -y .passwd.cnf "cn=noreply"
dn: cn=noreply,ou=it,dc=domain,dc=com
cn: noreply
mail: noreply at domain.com
maildrop: noreply at domain.com
sn: No
uid: noreply
objectClass: inetOrgPerson
objectClass: mailUser
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
pwdAttribute: userPassword
pwdMaxAge: 31536000
pwdMinAge: 60
pwdAllowUserChange: TRUE
userPassword: {MD5}xx
Did I miss something?
Best Answer
Actually, the
pwdChangedTime
attribute is already created but since it is an operational attribute, it is not returned by default. You have to do aldapsearch
with this name:or append the plus (
+
) to theldapsearch
:To add this attribute to the all users which are created before implementing Password Policy Overlay, you can simply update the
userPassword
with the same value: