-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 severity 730470 normal thanks
Hi Daniel, thanks for reporting this issue. Am 25.11.13 12:14, schrieb Daniel Pocock: > Severity: important Sorry, I disagree with this level. This is not a "bug which has a major effect on the usability of a package" as this is not nagios-plugins-ldaps. > Consider the following: > > /usr/lib/nagios/plugins/check_ldaps -H ldap -b dc=example,dc=org -p > 636 -3 As I actually have no LDAP server running, could you please verify if the following is working for you: /usr/lib/nagios/plugins/check_ldap -H ldap -b dc=example,dc=org -S -3 This should make a ldaps connection to port 636. A "/usr/lib/nagios/plugins/check_ldaps -H ldap -b dc=example,dc=org -p 636 -3 -vvv" could be also interesting > It fails with "Could not bind to the LDAP server" > > Adding this hack to /etc/ldap/ldap.conf: > > TLS_REQCERT never > > > makes it work though. Somebody has actually described this on > stack overflow as a solution, in fact, it is quite a nasty thing > for security as all LDAP client code on the system running > check_ldaps will no longer do cert verification. > > Please note I have checked the server cert is not expired and I am > using a custom CA specified with TLS_CACERT in /etc/ldap/ldap.conf > - other LDAP clients are happy with that setup and the problem is > unique to check_ldaps for Nagios > > check_ldaps should work without requiring TLS_REQCERT to be > weakened After reading a lot about adding "TLS_REQCERT never" and about openldap in debian wheezy I think this is caused somehow by libldap-dev/libldap2-dev. With kind regards, Jan. - -- Never write mail to <[email protected]>, you have been warned! - -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GIT d-- s+: a C+++ UL++++ P+ L+++ E--- W+++ N+++ o++ K++ w--- O M V- PS PE Y++ PGP++ t-- 5 X R tv- b+ DI D+ G++ e++ h---- r+++ y++++ - ------END GEEK CODE BLOCK------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAlKbTEQACgkQ9u6Dud+QFyQ4ZgCgu55Xz37NbGDufNIFDgNAh5u8 P6IAoLEedWOZM4eYCQnS8RdWeFVwvTy9 =oqLJ -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
