Run Check Command versus Service Status Detail

[onegative]

G 'Day Nagios Support,

So I am having a problem where a particular check_ldap Service.

I can run the command via the command line and it works as expected.

Code: Select all

[nagios@dcom-nagiosxi-p2 ~]$ /usr/local/nagios/libexec/check_ldap -H nwh-dc-03.nwhsea.org -b "dc=nwhsea,dc=org" -D "myUserName" -P "somePassword" -3 -S  -w 10 -c 20
LDAP OK - 0.072 seconds response time|time=0.071884s;10.000000;20.000000;0.000000

I can 'Run Check Command' from Service Management successfully as the screen shot indicates.

Run Check Command.png

But from the actual Service Check within Nagios XI it is failing as the screen shot shows.

Service Status Detail.png

I am just unsure what the disconnect is, can you make any suggestions why this might be happening?

And as always thanks in advance,
Danny
@onegative

[dchurch]

$USER5$ and $USER6 are not expanding in the Run Check Command dialog, instead where the variable's value is supposed to be subbed in, it's a literal string, i.e.

Code: Select all

/usr/local/nagios/libexec/check_ldap -H example.com -b "dc=nwhsea,dc=org" -D '$USER5$' -P '$USER6' -3 -S  -w 10 -c 20

When the check is run "for real" by the monitoring engine (not the Run Check Command dialog) the values are subbed in differently, instead of inserting the literal string it's inserting (for me) nothing at all.

Where do the $USER5$ and $USER6 come from? Where are they set?

[onegative]

They are standard User Macros defined in /usr/local/nagios/etc/resource.cfg

They work & translate otherwise the Run Check Command wouldn't work

# NWH LDAP Credentials
$USER5$=myUserName
$USER6$=somePassword

But for whatever reason when Nagios actually runs the command it is not working...
I guess I am going to have to enable service logging...which I did not want to do...

Danny

[onegative]

You know...these are the things that just simply waste my time.

So it seems that if I use the ipAddr in the Address field $HOSTADRESS$, I end up with the following error:
ldap_bind: Can't contact LDAP server (-1)
additional info: TLS: unable to get CN from peer certificate
Could not bind to the LDAP server

When I specify the FQDN in the Address field the Bind works and I get the proper results.
I didn't catch this before because the non-ssl port 389 Service Check accepted the $HOSTADRESS$ but when performing the ssl port 636 it returns the above error.

I am not an LDAP specialist and would appreciate any feedback from someone who might know the reason for this? Even from the Command-line it fails when using the actual ipAddr.

Thanks,
Danny

[gsmith]

Hi Danny,

The LDAP client must match the Common Name (CN) in the LDAP server certificate, so if the certificate is using
the FQDN then the command must use the FQDN.

Thanks

[onegative]

This can be locked and thanks everyone.
Danny

[benjaminsmith]

Hi Danny,

Great! We'll close this out.

Thank you for using Nagios.