[SOLVED] check_ldap: Could not init startTLS at port 389

[pomtomm]

Nagios server is running on Debian 10 with software from the standard repos (nagios4-4.3.4-3, monitoring-plugins-standard-2.2-6)

I'm getting a "Could not init startTLS at port 389" error from check_ldap when executed as a Nagios service check.

If I run the plugin from the shell, it's working fine:

Code: Select all

root@ext1:/etc# /usr/lib/nagios/plugins/check_ldap -H ext1.broda.in -b o=broda -D uid=abwrite,ou=users,ou=accounts,o=broda -P ***** -T
LDAP OK - 0.039 seconds response time|time=0.038542s;;;0.000000

SSL / TLS setup is fine, the LDAP client is supposed to check the server certificate:

Code: Select all

root@ext1:~# grep ^[^#] /etc/ldap/ldap.conf
TLS_CACERT              /etc/letsencrypt/live/broda.in/chain.pem
TLS_REQCERT             hard

The certificate is valid and matches the hostname:

Code: Select all

root@ext1:~# openssl x509 -in /etc/letsencrypt/live/broda.in/cert.pem -noout -subject -enddate
subject=CN = *.broda.in
notAfter=Jan 14 02:56:38 2021 GMT

...and I can perform an LDAP search using StartTLS:

Code: Select all

root@ext1:~# ldapsearch -xvZZ -h ext1.broda.in -b o=broda | tail -2
ldap_initialize( ldap://ext1.broda.in )
filter: (objectclass=*)
requesting: All userApplication attributes
# numResponses: 67
# numEntries: 66

The debug log doesn't seem to provide more information:

Code: Select all

[1605214611.239488] [2048.1] [pid=8622]   Done.  Final output: '/usr/lib/nagios/plugins/check_ldap -H ext1.broda.in -b o=broda -D uid=abwrite,ou=users,ou=accounts,o=broda -P ***** -T'
[1605214611.239493] [2048.1] [pid=8622] **** END MACRO PROCESSING *************
[1605214611.257571] [016.2] [pid=8622] Processing check result for service 'LDAP' on host 'ext1.broda.org'
[1605214611.257613] [016.0] [pid=8622] ** Handling check result for service 'LDAP' on host 'ext1.broda.org' from 'Core Worker 8628'...
[1605214611.257621] [016.1] [pid=8622] HOST: ext1.broda.org, SERVICE: LDAP, CHECK TYPE: Active, OPTIONS: 1, SCHEDULED: Yes, RESCHEDULE: Yes, EXITED OK: Yes, RETURN CODE: 2, OUTPUT: Could not init startTLS at
port 389!

[1605214611.257632] [016.2] [pid=8622] Parsing check output...
[1605214611.257638] [016.2] [pid=8622] Short Output: Could not init startTLS at port 389!

This might be related to this problem from 2011, but I can't figure out how this guy got it fixed. On a Debian system, the "nagios" user does have the HOME variable set, at least when checked interactively:

Code: Select all

root@ext1:~# su -s /bin/bash nagios
nagios@ext1:/root$ cd
nagios@ext1:~$ echo $HOME
/var/lib/nagios

By the way - the same Nagios setup executed on an Ubuntu 18.04 system, checking the same LDAP server is working fine. I've even tried to copy the check_ldap binary from the Ubuntu host to the Debian box, but it won't make any difference. Still the same error.

What's wrong here?

[gormank]

You can add it to sudoers in a file in /etc/sudoers.d...

[pomtomm]

I changed the command definition to

Code: Select all

command_line    sudo /usr/lib/nagios/plugins/check_ldap -H $ARG1$ -b $ARG2$ -D $ARG3$ -P $USER7$ -T

and in fact, it worked.

Which pointed me in the right direction - I really forgot to check whether the nagios user can access the Letsencrypt CA certificate file

After making "nagios" a member of "ssl-cert" everything worked fine.

Thanks for helping.

[benjaminsmith]

Hi @pomtomm,

Glad to hear you got it solved. Thanks for sharing your solution.