Nagios_Nrpe
Re: Nagios_Nrpe
We are running everything using the scd user ... not root
Note:
On the same nrpe.cfg file we have several ldap checks running with the same user and settings, the only diference is that some ldap checks use ----ssl parameter.
Ex:
1st command[check_ldap6]=/home/scd/Basis_Nagios/plugins/check_ldap -H 'xxxxxxxxxxxxxxx' -b '' --port=9007 -D 'cn=moni,cn=Acc' -P 'xxxxxxxxxxxxx' -3 --ssl
2nd command[check_ldap7]=/home/scd/Basis_Nagios/plugins/check_ldap -H 'xxxxxxxxxxxxxxx' -b '' --port=636 -D 'cn=moni,cn=Acc' -P 'xxxxxxxxxxxxx' -3
On Remote:
Running both scripts returned the expected result "DAP OK - 0.041 seconds response time|time=0.041216s;;;0.000000"
On Nagios Monitoring:
1st command shows error "Could not bind to the LDAP server"
2nd command shows the correct status on the monitoring list "OK"
I hope this helps
Note:
On the same nrpe.cfg file we have several ldap checks running with the same user and settings, the only diference is that some ldap checks use ----ssl parameter.
Ex:
1st command[check_ldap6]=/home/scd/Basis_Nagios/plugins/check_ldap -H 'xxxxxxxxxxxxxxx' -b '' --port=9007 -D 'cn=moni,cn=Acc' -P 'xxxxxxxxxxxxx' -3 --ssl
2nd command[check_ldap7]=/home/scd/Basis_Nagios/plugins/check_ldap -H 'xxxxxxxxxxxxxxx' -b '' --port=636 -D 'cn=moni,cn=Acc' -P 'xxxxxxxxxxxxx' -3
On Remote:
Running both scripts returned the expected result "DAP OK - 0.041 seconds response time|time=0.041216s;;;0.000000"
On Nagios Monitoring:
1st command shows error "Could not bind to the LDAP server"
2nd command shows the correct status on the monitoring list "OK"
I hope this helps
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: Nagios_Nrpe
this is bizarre, you may want to add the -v flad to the check_ldap6 config, to see if you can get some debug output to display on the Service Status detail page for why it may be failing
Re: Nagios_Nrpe
Hi Scott,
the -v parameter shows me the same result "Could not bind to the LDAP server"...
It seems that when calling the command by nrpe_check it is ignoring the -S on the remote check_ldap command, maybe?
the -v parameter shows me the same result "Could not bind to the LDAP server"...
It seems that when calling the command by nrpe_check it is ignoring the -S on the remote check_ldap command, maybe?
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: Nagios_Nrpe
Are you sure it used --ssl and not --starttls?
Code: Select all
-T [--starttls]
use starttls mechanism introduced in protocol version 3
-S [--ssl]
use ldaps (ldap v2 ssl method). this also sets the default port to 636
Re: Nagios_Nrpe
Yes, we tried 3 different settingsscottwilkerson wrote:Are you sure it used --ssl and not --starttls?
Code: Select all
-T [--starttls] use starttls mechanism introduced in protocol version 3 -S [--ssl] use ldaps (ldap v2 ssl method). this also sets the default port to 636
check_ldaps with -S
check_ldap --ssl
check_ldap -S
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: Nagios_Nrpe
I was suggesting
Code: Select all
check_ldap --starttls
Re: Nagios_Nrpe
--starttls or -T does not work for our connection to the ldap servers we alrady tried itscottwilkerson wrote:I was suggestingCode: Select all
check_ldap --starttls
Re: Nagios_Nrpe
Please run these commands and post the entire output:
What do you have set in your nrpe.cfg for these?
Code: Select all
su - scd
/home/scd/Basis_Nagios/plugins/check_ldap -H 'xxxxxxxxxxxxxxx' -b '' --port=9007 -D 'cn=xxxx,cn=xxx' -P 'xxxxxxxxxxxxx' -3 --ssl
Code: Select all
nrpe_user=nagios
nrpe_group=nagios
Re: Nagios_Nrpe
Hi,
Long story here, but in order to discard problems on the nrpe remote side,
opened the connections to the ldap server on our Nagios Server.
Now we are running the check_ldap from our Nagios Server in return we received the following:
We added to the file ~./ldaprc
and can successfully run the command in the terminal:
But still on the Portal after configuring the same command and restarting everything we get:
Do you have any explanation for this behavior?
How can we tell the portal to include "TLS_REQCERT never" in the ~./ldaprc file?
Why is the portal showing a diferent result then the command run in the terminal.
Long story here, but in order to discard problems on the nrpe remote side,
opened the connections to the ldap server on our Nagios Server.
Now we are running the check_ldap from our Nagios Server in return we received the following:
Code: Select all
./check_ldap -H 'xxxxxxxxxxxxx' -p 9007 -b 'cn=xxxStempelxxx,cn=xxxxxxxx,cn=xxxxxxxxxxxxxxxx' -D 'cn=xxxxxxxx,cn=xxxxxxxxxx' -P 'xxxxxxxxxxxxxx' -3 -w 10 -c 20 -t 30 --ssl -v
ldap_bind: Can't contact LDAP server (-1)
additional info: TLS: hostname does not match CN in peer certificate
Could not bind to the LDAP server
Code: Select all
TLS_REQCERT never
Code: Select all
./check_ldap -H 'xxxxxxxxxxxxx' -p 9007 -b 'cn=xxxStempelxxx,cn=xxxxxxxx,cn=xxxxxxxxxxxxxxxx' -D 'cn=xxxxxxxx,cn=xxxxxxxxxx' -P 'xxxxxxxxxxxxxx' -3 -w 10 -c 20 -t 30 --ssl -v
LDAP OK - 0.023 seconds response time|time=0.023327s;10.000000;20.000000;0.000000
Code: Select all
HR Basistools Linuxserver
SCD LDAPS 9007
Notifications for this service have been disabled
CRITICAL 12:27:51 0d 1h 12m 25s 15/15 Could not bind to the LDAP server
How can we tell the portal to include "TLS_REQCERT never" in the ~./ldaprc file?
Why is the portal showing a diferent result then the command run in the terminal.
Re: Nagios_Nrpe
Quick question. It just says that the hostname and CN in the cert don't match. Are you using the machine name for the -H flag, and domain name in the CN?
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!