Nagios Support Forum

Hello Nagios team,

Our domain administrators would like to make the move to Secure LDAP with Channel Binding. Unfortunately, our early testing with the 'LDAP Bind' service checks we already have configured has been unsuccessful and I require your expertise.

After reading numerous support articles, I've come to the conclusion that in order for these checks to keep working we need to somehow incorporate a certificate for each one of our domain controllers into the XI system. I'm not exactly sure how to accomplish that.

Here's what I've been reading:

https://www.altaro.com/vmware/understan ... g-signing/
https://support.microsoft.com/en-us/top ... 99a66fc00a
https://zend.to/troubleshoot-ad.pdf

Here's what our existing LDAP Bind checks look like: $USER1$/check_ldap -H $HOSTADDRESS$ -b "$ARG1$" -D "$ARG2$" -P "$ARG3$" -2 -p 3268

I'm told LDAPS uses port 636. I tried just switching to that and it does not bind. I also tried combinations of using the -S (--ssl) switch and changing the version from -2 to -3.

I just tried enabling it and this seems to work:
Does that work for you?

Well, I think we're making progress. I'm seeing a different error now:
I'm unsure how to proceed from here though.

That's because the server is unable to get the local issuer (the CA) certificate to validate the DCs cert.

What OS/version is your XI server running?
If you're running RHEL/ORACLE/CENTOS put your CA certs in individual files in:
Then run this command and test again:

Here's the OS info you asked for.
I'll try exporting the cert from each domain controller and get back to you. Thank you!

You do not need the DCs certs, you need the Certificate Authority certs. The CA cert is what signed the DCs cert and you're essentially saying that you trust the issuer of the certs. If you have multiple CAs in the certificate chain you will need all of their certs.