check_ldap fails from inside Nagios

[highness]

Here is an interesting one...

I can run check_ldap or check_ldaps from the command line and the check works without a hitch:

Code: Select all

[email protected] (Linux) $ /usr/local/nagios/libexec/check_ldaps -H ldap0001.example.com -p 636 -b "dc=example,dc=com" -D "uid=nagios_monitor,ou=privls,dc=example,dc=com" -P "supersecretpasswordgoeshere" -3
LDAP OK - 0.027 seconds response time|time=0.026954s;;;0.000000

I can run that same check from CCM under that particular service (Test Check Command) and it runs fine as well.

When I have Nagios run it (as a normally scheduled check), it fails with "Cannot bind to server"

Any ideas where to start to fix this?

[Box293]

What happens when you execute the command as the nagios user:

Code: Select all

su nagios
/usr/local/nagios/libexec/check_ldaps -H ldap0001.example.com -p 636 -b "dc=example,dc=com" -D "uid=nagios_monitor,ou=privls,dc=example,dc=com" -P "supersecretpasswordgoeshere" -3

You may need to define some environment variables:
https://support.nagios.com/kb/article.php?id=489

[highness]

When I su over to nags and run that command, it returns fine:

Code: Select all

/usr/local/nagios/libexec/check_ldaps -H ldap0001.example.com -p 636 -b "dc=example,dc=com" -D "uid=nagios_monitor,ou=privls,dc=example,dc=com" -P "supersecretpasswordgoeshere" -3
LDAP OK - 0.039 seconds response time|time=0.039407s;;;0.000000

[ssax]

99.9% of the time it's because of special characters in the password, do you have special characters in your password?

If so, try setting up a user variable and see if that resolves the issue:
- Note: You can't use the test check button in the CCM, apply config and force a check to test.

Code: Select all

https://assets.nagios.com/downloads/nagiosxi/docs/Understanding-User-Macros.pdf

I don't see anything else that would cause issues unless Box293 is right about some envar/path missing when running as the nagios user with no TTY.

[bwallace]

By any chance is the remote system a Solaris box?
https://docs.oracle.com/cd/E18752_01/ht ... ems-3.html

[highness]

99.9% of the time it's because of special characters in the password, do you have special characters in your password?

If so, try setting up a user variable and see if that resolves the issue:
- Note: You can't use the test check button in the CCM, apply config and force a check to test.

Code: Select all

https://assets.nagios.com/downloads/nagiosxi/docs/Understanding-User-Macros.pdf

I don't see anything else that would cause issues unless Box293 is right about some envar/path missing when running as the nagios user with no TTY.

The password has no special characters at all. Strictly upper-case and numbers.

[highness]

By any chance is the remote system a Solaris box?
https://docs.oracle.com/cd/E18752_01/ht ... ems-3.html

Nope - it's RHEL 7

[ssax]

Hmm, this is a head scratcher, add the -v option on the end of it for verbose and see if it gives any additional information after applying config.

[highness]

Hmm, this is a head scratcher, add the -v option on the end of it for verbose and see if it gives any additional information after applying config.

Added the -v to the check, but no discernible information was returned. It still returns "Could not bind to the LDAP server".

[rkennedy]

Can you show us the service definition and check_command you're using in conjunction with it as well? There might be something in the configs we've over looked at this point.