Nagios_Nrpe

This support forum board is for support questions relating to Nagios XI, our flagship commercial network monitoring solution.
jpingo
Posts: 8
Joined: Mon Nov 11, 2019 10:19 am

Re: Nagios_Nrpe

Post by jpingo »

We are running everything using the scd user ... not root
Note:
On the same nrpe.cfg file we have several ldap checks running with the same user and settings, the only diference is that some ldap checks use ----ssl parameter.
Ex:
1st command[check_ldap6]=/home/scd/Basis_Nagios/plugins/check_ldap -H 'xxxxxxxxxxxxxxx' -b '' --port=9007 -D 'cn=moni,cn=Acc' -P 'xxxxxxxxxxxxx' -3 --ssl
2nd command[check_ldap7]=/home/scd/Basis_Nagios/plugins/check_ldap -H 'xxxxxxxxxxxxxxx' -b '' --port=636 -D 'cn=moni,cn=Acc' -P 'xxxxxxxxxxxxx' -3

On Remote:
Running both scripts returned the expected result "DAP OK - 0.041 seconds response time|time=0.041216s;;;0.000000"

On Nagios Monitoring:
1st command shows error "Could not bind to the LDAP server"
2nd command shows the correct status on the monitoring list "OK"

I hope this helps
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Nagios_Nrpe

Post by scottwilkerson »

this is bizarre, you may want to add the -v flad to the check_ldap6 config, to see if you can get some debug output to display on the Service Status detail page for why it may be failing
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
jpingo
Posts: 8
Joined: Mon Nov 11, 2019 10:19 am

Re: Nagios_Nrpe

Post by jpingo »

Hi Scott,
the -v parameter shows me the same result "Could not bind to the LDAP server"...
It seems that when calling the command by nrpe_check it is ignoring the -S on the remote check_ldap command, maybe?
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Nagios_Nrpe

Post by scottwilkerson »

Are you sure it used --ssl and not --starttls?

Code: Select all

 -T [--starttls]
    use starttls mechanism introduced in protocol version 3
 -S [--ssl]
    use ldaps (ldap v2 ssl method). this also sets the default port to 636
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
jpingo
Posts: 8
Joined: Mon Nov 11, 2019 10:19 am

Re: Nagios_Nrpe

Post by jpingo »

scottwilkerson wrote:Are you sure it used --ssl and not --starttls?

Code: Select all

 -T [--starttls]
    use starttls mechanism introduced in protocol version 3
 -S [--ssl]
    use ldaps (ldap v2 ssl method). this also sets the default port to 636
Yes, we tried 3 different settings
check_ldaps with -S
check_ldap --ssl
check_ldap -S
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Nagios_Nrpe

Post by scottwilkerson »

I was suggesting

Code: Select all

check_ldap --starttls
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
jpingo
Posts: 8
Joined: Mon Nov 11, 2019 10:19 am

Re: Nagios_Nrpe

Post by jpingo »

scottwilkerson wrote:I was suggesting

Code: Select all

check_ldap --starttls
--starttls or -T does not work for our connection to the ldap servers we alrady tried it
ssax
Dreams In Code
Posts: 7682
Joined: Wed Feb 11, 2015 12:54 pm

Re: Nagios_Nrpe

Post by ssax »

Please run these commands and post the entire output:

Code: Select all

su - scd
/home/scd/Basis_Nagios/plugins/check_ldap -H 'xxxxxxxxxxxxxxx' -b '' --port=9007 -D 'cn=xxxx,cn=xxx' -P 'xxxxxxxxxxxxx' -3 --ssl
What do you have set in your nrpe.cfg for these?

Code: Select all

nrpe_user=nagios
nrpe_group=nagios
techtuga
Posts: 5
Joined: Thu Jan 14, 2016 10:38 am

Re: Nagios_Nrpe

Post by techtuga »

Hi,

Long story here, but in order to discard problems on the nrpe remote side,
opened the connections to the ldap server on our Nagios Server.

Now we are running the check_ldap from our Nagios Server in return we received the following:

Code: Select all

./check_ldap -H 'xxxxxxxxxxxxx' -p 9007 -b 'cn=xxxStempelxxx,cn=xxxxxxxx,cn=xxxxxxxxxxxxxxxx' -D 'cn=xxxxxxxx,cn=xxxxxxxxxx' -P 'xxxxxxxxxxxxxx' -3 -w 10 -c 20 -t 30 --ssl -v
ldap_bind: Can't contact LDAP server (-1)
        additional info: TLS: hostname does not match CN in peer certificate
Could not bind to the LDAP server
We added to the file ~./ldaprc

Code: Select all

TLS_REQCERT     never
and can successfully run the command in the terminal:

Code: Select all

./check_ldap -H 'xxxxxxxxxxxxx' -p 9007 -b 'cn=xxxStempelxxx,cn=xxxxxxxx,cn=xxxxxxxxxxxxxxxx' -D 'cn=xxxxxxxx,cn=xxxxxxxxxx' -P 'xxxxxxxxxxxxxx'  -3 -w 10 -c 20 -t 30 --ssl -v
LDAP OK - 0.023 seconds response time|time=0.023327s;10.000000;20.000000;0.000000
But still on the Portal after configuring the same command and restarting everything we get:

Code: Select all

HR Basistools Linuxserver	
SCD LDAPS 9007	
Notifications for this service have been disabled
CRITICAL	12:27:51	0d 1h 12m 25s	15/15	Could not bind to the LDAP server
Do you have any explanation for this behavior?
How can we tell the portal to include "TLS_REQCERT never" in the ~./ldaprc file?
Why is the portal showing a diferent result then the command run in the terminal.
User avatar
mbellerue
Posts: 1403
Joined: Fri Jul 12, 2019 11:10 am

Re: Nagios_Nrpe

Post by mbellerue »

Quick question. It just says that the hostname and CN in the cert don't match. Are you using the machine name for the -H flag, and domain name in the CN?
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
Locked