Page 1 of 1
check_ldap Ignores -a (ldap attribute to search)
Posted: Tue Dec 16, 2014 1:18 pm
by SteveBeauchemin
Has anyone tried to use the 'Match this' parameter of check_ldap?
It seems that the parameter is happy as long as there is an equal sign in it after some text.
for example:
./check_ldap -H [IP] -b "[my stuff]" -p 3890 -D "[more of my stuff]" -P [my pasword] -w 8 -c 12 -t 30 -a "(zzzzzzzzzzzzzzzzzzzzzzzzz=)"
LDAP OK - 0.660 seconds response time|time=0.660287s;8.000000;12.000000;0.000000
No matter what I enter, it passes and LDAP is OK.
Tried these:
-a "(c=)"
-a "(z=)"
-a '(gg=)'
As long as anything precedes the = the test passes.
My problem is that I want to match a specific piece of test, where -a "(dc=[my specific thing])" will either pass or fail if that item is there or not there.
./check_ldap -V
check_ldap v2.0.3 (nagios-plugins 2.0.3)
Anyone have any ideas other than writing my own test?
Thanks
Steve B
Re: check_ldap Ignores -a (ldap attribute to search)
Posted: Tue Dec 16, 2014 4:34 pm
by scottwilkerson
When you pass the -w and -c params, it changes to use response time for the query
Code: Select all
-w, --warning=DOUBLE
Response time to result in warning status (seconds)
-c, --critical=DOUBLE
Response time to result in critical status (seconds)
I believe you need can remove them to use the search
Re: check_ldap Ignores -a (ldap attribute to search)
Posted: Tue Dec 16, 2014 4:46 pm
by SteveBeauchemin
Scott,
Removing the -w -c and the -t make no difference. The result is always OK as long as the -a has some text and an equal sign.
such as this:
./check_ldap -H 198.151.224.183 -b "[stuff]" -p 3890 -D "[my stuff]" -P [password] -a "(dc=xx)"
LDAP OK - 0.030 seconds response time|time=0.030016s;;;0.000000
Please try this on your own. Show me your results.
Thanks
Steve B
Re: check_ldap Ignores -a (ldap attribute to search)
Posted: Tue Dec 16, 2014 4:54 pm
by SteveBeauchemin
Actually, I hope what you said earlier is also not true. There should be time tests available for LDAP whether or not it is testing for a reply match. The tests should fail if it takes too long, and should also fail if there is no match. Both are legitimate responses for HTTP testing. Why would LDAP be different?
Steve B
Re: check_ldap Ignores -a (ldap attribute to search)
Posted: Wed Dec 17, 2014 1:34 am
by Box293
I've been playing with this and I think that this is a bug.
For example:
Code: Select all
./check_ldap -H 10.25.14.51 -b "DC=BOX293,DC=local" -D "CN=001 Admin User,CN=Users,DC=BOX293,DC=local" -P "password" -3 -a "(objectclassTHISDOESNOTEXIST=*)"
LDAP OK - 0.007 seconds response time|time=0.007005s;;;0.000000
I've tried using the -v argument to produce verbosity however it does not do anything.
Re: check_ldap Ignores -a (ldap attribute to search)
Posted: Wed Dec 17, 2014 1:25 pm
by SteveBeauchemin
Thank you for trying before replying. I appreciate the effort.
Steve B
Re: check_ldap Ignores -a (ldap attribute to search)
Posted: Wed Dec 17, 2014 4:01 pm
by sreinhardt
I'll take a look at this in the next few days, and see if fixes can be applied to the 2.1 branch. Also just to 100% confirm, could you run
Just want to be sure everything is current. Considering box has the same issues, I would imagine it's still a bug.
Re: check_ldap Ignores -a (ldap attribute to search)
Posted: Fri Dec 19, 2014 10:45 am
by SteveBeauchemin
./check_ldap --version
check_ldap v2.0.3 (nagios-plugins 2.0.3)
Re: check_ldap Ignores -a (ldap attribute to search)
Posted: Fri Dec 19, 2014 11:52 am
by sreinhardt
OK thanks, I'll post back with an update.