[Pkg-nagios-devel] Bug#730470: Bug#730470: check_ldaps fails to verify CA

Jan Wagner waja at cyconet.org
Sun Dec 1 14:48:36 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

severity 730470 normal
thanks

Hi Daniel,

thanks for reporting this issue.

Am 25.11.13 12:14, schrieb Daniel Pocock:
> Severity: important

Sorry, I disagree with this level. This is not a "bug which has a
major effect on the usability of a package" as this is not
nagios-plugins-ldaps.

> Consider the following:
> 
> /usr/lib/nagios/plugins/check_ldaps -H ldap -b dc=example,dc=org -p
> 636 -3

As I actually have no LDAP server running, could you please verify if
the following is working for you:

/usr/lib/nagios/plugins/check_ldap -H ldap -b dc=example,dc=org -S -3

This should make a ldaps connection to port 636.

A "/usr/lib/nagios/plugins/check_ldaps -H ldap -b dc=example,dc=org -p
636 -3 -vvv" could be also interesting

> It fails with "Could not bind to the LDAP server"
> 
> Adding this hack to /etc/ldap/ldap.conf:
> 
> TLS_REQCERT never
> 
> 
> makes it work though.  Somebody has actually described this on
> stack overflow as a solution, in fact, it is quite a nasty thing
> for security as all LDAP client code on the system running
> check_ldaps will no longer do cert verification.
> 
> Please note I have checked the server cert is not expired and I am
> using a custom CA specified with TLS_CACERT in /etc/ldap/ldap.conf
> - other LDAP clients are happy with that setup and the problem is
> unique to check_ldaps for Nagios
> 
> check_ldaps should work without requiring TLS_REQCERT to be
> weakened

After reading a lot about adding "TLS_REQCERT never" and about
openldap in debian wheezy I think this is caused somehow by
libldap-dev/libldap2-dev.

With kind regards, Jan.
- -- 
Never write mail to <waja at spamfalle.info>, you have been warned!
- -----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GIT d-- s+: a C+++ UL++++ P+ L+++ E--- W+++ N+++ o++ K++ w--- O M V-
PS PE Y++
PGP++ t-- 5 X R tv- b+ DI D+ G++ e++ h---- r+++ y++++
- ------END GEEK CODE BLOCK------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAlKbTEQACgkQ9u6Dud+QFyQ4ZgCgu55Xz37NbGDufNIFDgNAh5u8
P6IAoLEedWOZM4eYCQnS8RdWeFVwvTy9
=oqLJ
-----END PGP SIGNATURE-----

More information about the Pkg-nagios-devel mailing list