Page 2 of 3
Re: Nagios_Nrpe
Posted: Tue Nov 12, 2019 8:25 am
by jpingo
We are running everything using the scd user ... not root
Note:
On the same nrpe.cfg file we have several ldap checks running with the same user and settings, the only diference is that some ldap checks use ----ssl parameter.
Ex:
1st command[check_ldap6]=/home/scd/Basis_Nagios/plugins/check_ldap -H 'xxxxxxxxxxxxxxx' -b '' --port=9007 -D 'cn=moni,cn=Acc' -P 'xxxxxxxxxxxxx' -3 --ssl
2nd command[check_ldap7]=/home/scd/Basis_Nagios/plugins/check_ldap -H 'xxxxxxxxxxxxxxx' -b '' --port=636 -D 'cn=moni,cn=Acc' -P 'xxxxxxxxxxxxx' -3
On Remote:
Running both scripts returned the expected result "DAP OK - 0.041 seconds response time|time=0.041216s;;;0.000000"
On Nagios Monitoring:
1st command shows error "Could not bind to the LDAP server"
2nd command shows the correct status on the monitoring list "OK"
I hope this helps
Re: Nagios_Nrpe
Posted: Tue Nov 12, 2019 8:35 am
by scottwilkerson
this is bizarre, you may want to add the -v flad to the check_ldap6 config, to see if you can get some debug output to display on the Service Status detail page for why it may be failing
Re: Nagios_Nrpe
Posted: Wed Nov 13, 2019 4:42 am
by jpingo
Hi Scott,
the -v parameter shows me the same result "Could not bind to the LDAP server"...
It seems that when calling the command by nrpe_check it is ignoring the -S on the remote check_ldap command, maybe?
Re: Nagios_Nrpe
Posted: Wed Nov 13, 2019 7:49 am
by scottwilkerson
Are you sure it used
--ssl and not
--starttls?
Code: Select all
-T [--starttls]
use starttls mechanism introduced in protocol version 3
-S [--ssl]
use ldaps (ldap v2 ssl method). this also sets the default port to 636
Re: Nagios_Nrpe
Posted: Wed Nov 13, 2019 10:24 am
by jpingo
scottwilkerson wrote:Are you sure it used
--ssl and not
--starttls?
Code: Select all
-T [--starttls]
use starttls mechanism introduced in protocol version 3
-S [--ssl]
use ldaps (ldap v2 ssl method). this also sets the default port to 636
Yes, we tried 3 different settings
check_ldaps with -S
check_ldap --ssl
check_ldap -S
Re: Nagios_Nrpe
Posted: Wed Nov 13, 2019 10:33 am
by scottwilkerson
Re: Nagios_Nrpe
Posted: Wed Nov 13, 2019 11:13 am
by jpingo
scottwilkerson wrote:I was suggesting
--starttls or -T does not work for our connection to the ldap servers we alrady tried it
Re: Nagios_Nrpe
Posted: Wed Nov 13, 2019 5:53 pm
by ssax
Please run these commands and post the entire output:
Code: Select all
su - scd
/home/scd/Basis_Nagios/plugins/check_ldap -H 'xxxxxxxxxxxxxxx' -b '' --port=9007 -D 'cn=xxxx,cn=xxx' -P 'xxxxxxxxxxxxx' -3 --ssl
What do you have set in your
nrpe.cfg for these?
Code: Select all
nrpe_user=nagios
nrpe_group=nagios
Re: Nagios_Nrpe
Posted: Wed Nov 20, 2019 6:39 am
by techtuga
Hi,
Long story here, but in order to discard problems on the nrpe remote side,
opened the connections to the ldap server on our Nagios Server.
Now we are running the check_ldap from our Nagios Server in return we received the following:
Code: Select all
./check_ldap -H 'xxxxxxxxxxxxx' -p 9007 -b 'cn=xxxStempelxxx,cn=xxxxxxxx,cn=xxxxxxxxxxxxxxxx' -D 'cn=xxxxxxxx,cn=xxxxxxxxxx' -P 'xxxxxxxxxxxxxx' -3 -w 10 -c 20 -t 30 --ssl -v
ldap_bind: Can't contact LDAP server (-1)
additional info: TLS: hostname does not match CN in peer certificate
Could not bind to the LDAP server
We added to the file ~./ldaprc
and can successfully run the command in the terminal:
Code: Select all
./check_ldap -H 'xxxxxxxxxxxxx' -p 9007 -b 'cn=xxxStempelxxx,cn=xxxxxxxx,cn=xxxxxxxxxxxxxxxx' -D 'cn=xxxxxxxx,cn=xxxxxxxxxx' -P 'xxxxxxxxxxxxxx' -3 -w 10 -c 20 -t 30 --ssl -v
LDAP OK - 0.023 seconds response time|time=0.023327s;10.000000;20.000000;0.000000
But still on the Portal after configuring the same command and restarting everything we get:
Code: Select all
HR Basistools Linuxserver
SCD LDAPS 9007
Notifications for this service have been disabled
CRITICAL 12:27:51 0d 1h 12m 25s 15/15 Could not bind to the LDAP server
Do you have any explanation for this behavior?
How can we tell the portal to include "TLS_REQCERT never" in the ~./ldaprc file?
Why is the portal showing a diferent result then the command run in the terminal.
Re: Nagios_Nrpe
Posted: Wed Nov 20, 2019 2:11 pm
by mbellerue
Quick question. It just says that the hostname and CN in the cert don't match. Are you using the machine name for the -H flag, and domain name in the CN?