[Pkg-nagios-devel] Bug#730470: check_ldaps fails to verify CA
Daniel Pocock
daniel at pocock.com.au
Mon Nov 25 11:14:22 UTC 2013
Package: nagios-plugins-standard
Version: 1.4.16-1
Severity: important
Consider the following:
/usr/lib/nagios/plugins/check_ldaps -H ldap -b dc=example,dc=org -p 636 -3
It fails with "Could not bind to the LDAP server"
Adding this hack to /etc/ldap/ldap.conf:
TLS_REQCERT never
makes it work though. Somebody has actually described this on stack
overflow as a solution, in fact, it is quite a nasty thing for security
as all LDAP client code on the system running check_ldaps will no longer
do cert verification.
Please note I have checked the server cert is not expired and I am using
a custom CA specified with TLS_CACERT in /etc/ldap/ldap.conf - other
LDAP clients are happy with that setup and the problem is unique to
check_ldaps for Nagios
check_ldaps should work without requiring TLS_REQCERT to be weakened
More information about the Pkg-nagios-devel
mailing list