[Pkg-nagios-devel] Bug#730470: Bug#730470: check_ldaps fails to verify CA
waja at cyconet.org
Sun Dec 1 14:48:36 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
severity 730470 normal
thanks for reporting this issue.
Am 25.11.13 12:14, schrieb Daniel Pocock:
> Severity: important
Sorry, I disagree with this level. This is not a "bug which has a
major effect on the usability of a package" as this is not
> Consider the following:
> /usr/lib/nagios/plugins/check_ldaps -H ldap -b dc=example,dc=org -p
> 636 -3
As I actually have no LDAP server running, could you please verify if
the following is working for you:
/usr/lib/nagios/plugins/check_ldap -H ldap -b dc=example,dc=org -S -3
This should make a ldaps connection to port 636.
A "/usr/lib/nagios/plugins/check_ldaps -H ldap -b dc=example,dc=org -p
636 -3 -vvv" could be also interesting
> It fails with "Could not bind to the LDAP server"
> Adding this hack to /etc/ldap/ldap.conf:
> TLS_REQCERT never
> makes it work though. Somebody has actually described this on
> stack overflow as a solution, in fact, it is quite a nasty thing
> for security as all LDAP client code on the system running
> check_ldaps will no longer do cert verification.
> Please note I have checked the server cert is not expired and I am
> using a custom CA specified with TLS_CACERT in /etc/ldap/ldap.conf
> - other LDAP clients are happy with that setup and the problem is
> unique to check_ldaps for Nagios
> check_ldaps should work without requiring TLS_REQCERT to be
After reading a lot about adding "TLS_REQCERT never" and about
openldap in debian wheezy I think this is caused somehow by
With kind regards, Jan.
Never write mail to <waja at spamfalle.info>, you have been warned!
- -----BEGIN GEEK CODE BLOCK-----
GIT d-- s+: a C+++ UL++++ P+ L+++ E--- W+++ N+++ o++ K++ w--- O M V-
PS PE Y++
PGP++ t-- 5 X R tv- b+ DI D+ G++ e++ h---- r+++ y++++
- ------END GEEK CODE BLOCK------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (Darwin)
Comment: GPGTools - http://gpgtools.org
-----END PGP SIGNATURE-----
More information about the Pkg-nagios-devel