[Pkg-nagios-devel] Bug#730470: check_ldaps fails to verify CA

Daniel Pocock daniel at pocock.com.au
Mon Nov 25 11:14:22 UTC 2013


Package: nagios-plugins-standard
Version: 1.4.16-1
Severity: important

Consider the following:


/usr/lib/nagios/plugins/check_ldaps -H ldap -b dc=example,dc=org -p 636 -3


It fails with "Could not bind to the LDAP server"

Adding this hack to /etc/ldap/ldap.conf:

TLS_REQCERT never


makes it work though.  Somebody has actually described this on stack
overflow as a solution, in fact, it is quite a nasty thing for security
as all LDAP client code on the system running check_ldaps will no longer
do cert verification.

Please note I have checked the server cert is not expired and I am using
a custom CA specified with TLS_CACERT in /etc/ldap/ldap.conf - other
LDAP clients are happy with that setup and the problem is unique to
check_ldaps for Nagios

check_ldaps should work without requiring TLS_REQCERT to be weakened



More information about the Pkg-nagios-devel mailing list