check_ldap fails with "Could not bind to the ldap-server"

[jwelch]

DOH! I now know what is happening. I'll experiment some after lunch and post the results.

[abrist]

Great! Let us know your results.

[jwelch]

I was looking at the config and realized that the command was being fed $HOSTADDRESS$ instead of $HOSTNAME$ , and when I used the 'Test command' button in the WebGUI, it asked for the host address, but since the config name in my case is the FQDN, I was just cutting and pasting that into the prompt and the check passed. (I add the IP addresses to all my servers whenever possible.)
Today I tried putting the IP address into the command. I also tacked on a -v 5 in hopes of getting some more detailed error info and I when I ran the check from the command line as root I got:

Code: Select all

ldap_bind: Can't contact LDAP server (-1)
	additional info: TLS: hostname does not match CN in peer certificate
Could not bind to the ldap-server

Which is weird since 'check_ldap -h' says you can supply a hostname, ip address, or unix socket to the command.

So I copied the check_xi_service_ldaps service check to check_service_ldaps and changed the command from:
$USER1$/check_ldaps -H $HOSTADDRESS$ $ARG1$
to:
$USER1$/check_ldaps -H $HOSTNAME$ $ARG1$ $ARG2$ $ARG3$ $ARG4$ $ARG5$

(I also added ARG2-5 to the check_ldaps command since some of my parameters are pretty long
and it's easier to see/edit if they are in separate textboxes in the WebGUI.)

I changed the command in the service check for my servers to use check_service_ldaps and it works fine now. (I assume if I hadn't added the IP addresses to the host configs, the service check would have used the hostnames and the checks would have passed.)

So now I'm wondering if there's a problem with the check_ldap code where it *should* be resolving the ip address to a hostname to compare to the certificate, or if the check_xi_service_ldaps should
be changed to use $HOSTNAME$ rather than $HOSTADDRESS$.

(Yes, our DNS does resolve the hostnames to the correct IP and the IP to the correct hostnames.)

[sreinhardt]

(Yes, our DNS does resolve the hostnames to the correct IP and the IP to the correct hostnames.)

Darn beat me to it. Honestly, I think this is a question best posed to the nagios plugins mailing list. It should resolve the names, and be able to check, possible exception would include ipv6 addresses being returned. I can dig through the code later and see if there is something not happening that should be.

[jwelch]

The IP I put in the config is IPV4 and that's what I tested via the command line to reproduce the failure.

Just for giggles I tried the IPV6 address on the command line and got:

ldap_bind: Can't contact LDAP server (-1)
Could not bind to the ldap-server

NOTE: no 'additional info' msg...possibly indicating IPV6 connectivity issues rather than name/ip comparison problems.

[sreinhardt]

Good to know, so likely doesn't work for ipv6 or needs some tweaks and the particular issue you ran into does seem to be resolving name vs IP direct connections. K noted, and will look into it, unfortunately no quick answer here, that I know of.

[jwelch]

If I'm looking in the right place ( http://sourceforge.net/projects/nagiosp ... urce=files ), then the plugin itself doesn't do anything fancier than just making sure you supplied something for the -H option. It looks like it calls ldap_init using whatever you supplied for the -H option. (I also assume that ldap_init is part of an ldap library since there's an include for ldap.h.)

Hmmm...since supplying the IP would force the plugin to resolve it to get the hostname to compare to the certificate...which require working DNS (or a cached lookup)....why not just have the check_ldaps command use $HOSTNAME$ and bypass the whole issue?

[jwelch]

The IPV6 issue is probably my server not having IPV6 connectivity to the target host. We have some vlans with IPV6 and some without so I can't say for sure, but it's most likely not a plugin issue (excep for the whole "it doesn't reverse lookup the hostname" part)

Wait a minute...I forgot about ping6. Yep, that network is unreachable via IPV6 so ignore any reference to IPV6 in the problem.

[jwelch]

P.S. Although the help output says you can supply hostname,ip, or socket, the code variable is ld_host and error messages refer to 'hostname':

Code: Select all

	if (ld_host==NULL || strlen(ld_host)==0)
		usage4 (_("Please specify the host name\n"));

[abrist]

Even though it refers to 'hostname', there is a good chance fqdn, ip, or /etc/hosts hostname would work.