Author: coudot Date: 2010-04-14 16:23:48 +0200 (Wed, 14 Apr 2010) New Revision: 66
Added: nagios-plugins/trunk/check_ldap_query.pl Log: #194: first version of check LDAP query Nagios plugin Added: nagios-plugins/trunk/check_ldap_query.pl =================================================================== --- nagios-plugins/trunk/check_ldap_query.pl (rev 0) +++ nagios-plugins/trunk/check_ldap_query.pl 2010-04-14 14:23:48 UTC (rev 66) @@ -0,0 +1,437 @@ +#! /usr/bin/perl -w + +#========================================================================== +# Summary +#========================================================================== +# Check LDAP query +# +# Request an LDAP server and count entries returned +# +# Copyright (C) 2010 Clement OUDOT +# Copyright (C) 2010 LTB-project.org +# +#========================================================================== +# License: GPLv2+ +#========================================================================== +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# GPL License: http://www.gnu.org/licenses/gpl.txt +#========================================================================== + +#========================================================================== +# Changelog +#========================================================================== +# Version 0.1 (2010/04/14): +# - First version +# Author: Clement OUDOT +#========================================================================== + +#========================================================================== +# Version +#========================================================================== +my $VERSION = '0.1'; +my $TEMPLATE_VERSION = '1.0.0'; + +#========================================================================== +# Modules +#========================================================================== +use strict; +use lib '/usr/local/nagios/libexec'; +use utils qw /$TIMEOUT %ERRORS &print_revision &support/; +use Getopt::Long; +&Getopt::Long::config('bundling'); +use File::Basename; +use Net::LDAP; + +#========================================================================== +# Options +#========================================================================== +my $progname = basename($0); +my $help; +my $version; +my $verbose = 0; +my $host; +my $warning; +my $critical; +my $logname; +my $authentication; +my $log_file; +my $perf_data; +my $name; +my $port; +my $timeout = $TIMEOUT; +my $regexp; +my $eregexp; +my $exclude; +my $minute = 60; +my $url; + +# For SNMP plugins +my $snmp_version; +my $snmp_v1; +my $snmp_v2c; +my $snmp_v3; +my $community; +my $seclevel; +my $authproto; +my $privpasswd; +my $oid; + +# For LDAP plugins +my $ldap_binddn; +my $ldap_bindpw; +my $ldap_filter; +my $ldap_base; +my $ldap_scope; + +GetOptions( + 'h' => \$help, + 'help' => \$help, + 'V' => \$version, + 'version' => \$version, + 'v+' => \$verbose, + 'verbose+' => \$verbose, + 'H:s' => \$host, + 'host:s' => \$host, + 'w:i' => \$warning, + 'warning:i' => \$warning, + 'c:i' => \$critical, + 'critical:i' => \$critical, + + #'l:s'=> \$logname,'logname:s'=> \$logname, + #'a:s'=> \$authentication, + #'authentication:s'=> \$authentication, + #'F:s'=> \$log_file,'log_file:s'=> \$log_file, + 'f' => \$perf_data, + 'perf_data' => \$perf_data, + + #'n:s' => \$name, + #'name:s' => \$name, + 'p:i' => \$port, + 'port:i' => \$port, + 't:i' => \$timeout, + 'timeout:i' => \$timeout, + + #'r:s'=> \$regexp,'regexp:s'=> \$regexp, + #'e:s'=> \$exclude,'exclude:s'=> \$exclude, + #'m:s'=> \$minute,'minute:s'=> \$minute, + #'u:s'=> \$url,'url:s'=> \$url, + # For SNMP plugins + #'snmp_version:s'=> \$snmp_version,'1'=> \$snmp_v1, + #'2'=> \$snmp_v2c,'3'=> \$snmp_v3, + #'C:s'=> \$community,'community:s'=> \$community, + #'L:s'=> \$seclevel,'seclevel:s'=> \$seclevel, + #'A:s'=> \$authproto,'authproto:s'=> \$authproto, + #'X:s'=> \$privpasswd,'privpasswd:s'=> \$privpasswd, + #'o:s'=> \$oid,'oid:s'=> \$oid, + # For LDAP plugins + 'D:s' => \$ldap_binddn, + 'binddn:s' => \$ldap_binddn, + 'P:s' => \$ldap_bindpw, + 'bindpw:s' => \$ldap_bindpw, + 'F:s' => \$ldap_filter, + 'filter:s' => \$ldap_filter, + 'b:s' => \$ldap_base, + 'base:s' => \$ldap_base, + 's:s' => \$ldap_scope, + 'scope:s' => \$ldap_scope, +); + +# Fix SMNP Version +unless ($snmp_version) { + $snmp_version = "1" if $snmp_v1; + $snmp_version = "2c" if $snmp_v2c; + $snmp_version = "3" if $snmp_v3; +} + +#========================================================================== +# Usage +#========================================================================== +sub print_usage { + print "Usage: \n"; + print "$progname -H <hostname> [-h] [-v] [-V]\n\n"; + print "Use option --help for more information\n\n"; + print "$progname comes with ABSOLUTELY NO WARRANTY\n\n"; +} + +#========================================================================= +# Version +#========================================================================= +if ($version) { + &print_revision( $progname, + "\$Revision: $VERSION (TPL: $TEMPLATE_VERSION)\$" ); + exit $ERRORS{'UNKNOWN'}; +} + +#========================================================================= +# Help +#========================================================================= +if ($help) { + &print_revision( $progname, "\$Revision: $VERSION\$" ); + + print "\n\nRequest LDAP server and count entries returned.\n\n"; + + &print_usage; + + print "-v, --verbose\n"; + print "\tPrint extra debugging information.\n"; + print "-V, --version\n"; + print "\tPrint version and exit.\n"; + print "-h, --help\n"; + print "\tPrint this help message and exit.\n"; + print "-H, --host=STRING\n"; + print +"\tIP or name (FQDN) of the directory. You can use URI (ldap://, ldaps://, ldap+tls://)\n"; + print "-p, --port=INTEGER\n"; + print "\tSirectory port to connect to.\n"; + print "-w, --warning=INTERGER\n"; + print "\tEntries number limit to return a warning status.\n"; + print "-c, --critical=DOUBLE\n"; + print "\tEntries number limit to return a critical status.\n"; + + #print "-l, --logname=STRING\n"; + #print "\tUser id for login.\n"; + #print "-a, --authentication=STRING\n"; + #print "\tSSH private key file.\n"; + #print "-F, --log_file=STRING\n"; + #print "\tStatus or log file.\n"; + print "-f, --perf_data\n"; + print "\tDisplay performance data.\n"; + + #print "-n, --name=STRING\n"; + #print "\tName (database, table, service, ...).\n"; + print "-t, --timeout=INTEGER\n"; + print "\tSeconds before connection times out (default: $TIMEOUT).\n"; + + #print "-r, --regexp=STRING\n"; + #print "\tCase sensitive regular expression.\n"; + #print "-e, --exclude=STRING\n"; + #print "\nExclude this regular expression.\n"; + #print "-u, --url=STRING\n"; + #print "\tURL.\n"; + #print "-1, -2, -3, --snmp_version=(1|2c|3)\n"; + #print "\tSNMP protocol version.\n"; + #print "-C, --community=STRING\n"; + #print "\tSNMP community (v1 and v2c).\n"; + #print "-L, --seclevel=(noAuthNoPriv|authNoPriv|authPriv))\n"; + #print "\tSNMP security level (v3).\n"; + #print "-A, --authproto=(MD5|SHA)\n"; + #print "\tSNMP authentication protocol (v3).\n"; + #print "-X, --privpasswd=STRING\n"; + #print "\tSNMP cipher password (v3).\n"; + #print "-o, --oid=STRING\n"; + #print "\tSNMP OID.\n"; + print "-D, --binddn=STRING\n"; + print "\tBind DN. Bind anonymous if not present.\n"; + print "-P, --bindpw=STRING\n"; + print "\tBind passwd. Need the Bind DN option to work.\n"; + print "-F, --filter=STRING\n"; + print "\tLDAP search filter.\n"; + print "-b, --base=STRING\n"; + print "\tLDAP search base.\n"; + print "-s, --scope=STRING\n"; + print "\tLDAP search scope\n"; + print "\n"; + + &support; + + exit $ERRORS{'UNKNOWN'}; +} + +#========================================================================= +# Functions +#========================================================================= + +# DEBUG function +sub verbose { + my $output_code = shift; + my $text = shift; + if ( $verbose >= $output_code ) { + printf "VERBOSE $output_code ===> %s\n", $text; + } +} + +# check if -H is used +sub check_host_param { + if ( !defined($host) ) { + printf "UNKNOWN: you have to define a hostname.\n"; + exit $ERRORS{UNKNOWN}; + } +} + +# check if -b is used +sub check_base_param { + if ( !defined($ldap_base) ) { + printf "UNKNOWN: you have to define a search base.\n"; + exit $ERRORS{UNKNOWN}; + } +} + +# check if -w is used +sub check_warning_param { + if ( !defined($warning) ) { + printf "UNKNOWN: you have to define a warning thresold.\n"; + exit $ERRORS{UNKNOWN}; + } +} + +# check if -c is used +sub check_critical_param { + if ( !defined($critical) ) { + printf "UNKNOWN: you have to define a critical thresold.\n"; + exit $ERRORS{UNKNOWN}; + } +} + +# Bind to LDAP server +sub get_ldapconn { + &verbose( '3', "Enter &get_ldapconn" ); + my ( $server, $binddn, $bindpw ) = @_; + my ( $useTls, $tlsParam ); + + # Manage ldap+tls:// URI + if ( $server =~ m{^ldap\+tls://([^/]+)/?\??(.*)$} ) { + $useTls = 1; + $server = $1; + $tlsParam = $2 || ""; + } + else { + $useTls = 0; + } + + my $ldap = Net::LDAP->new( $server, timeout => $timeout ); + + return ('1') unless ($ldap); + &verbose( '2', "Connected to $server" ); + + if ($useTls) { + my %h = split( /[&=]/, $tlsParam ); + my $message = $ldap->start_tls(%h); + $message->code + && &verbose( '1', $message->error ) + && return ( $message->code, $message->error ); + &verbose( '2', "startTLS succeed on $server" ); + } + + if ( $binddn && $bindpw ) { + + # Bind witch credentials + my $req_bind = $ldap->bind( $binddn, password => $bindpw ); + $req_bind->code + && &verbose( '1', $req_bind->error ) + && return ( $req_bind->code, $req_bind->error ); + &verbose( '2', "Bind with $binddn" ); + } + else { + my $req_bind = $ldap->bind(); + $req_bind->code + && &verbose( '1', $req_bind->error ) + && return ( $req_bind->code, $req_bind->error ); + &verbose( '2', "Bind anonym" ); + } + &verbose( '3', "Leave &get_ldapconn" ); + return ( '0', $ldap ); +} + +# Get the master URI from cn=monitor +sub get_entries { + &verbose( '3', "Enter &get_entries" ); + my ( $ldapconn, $base, $scope, $filter ) = @_; + my $message; + my $count; + $message = $ldapconn->search( + base => $base, + scope => $scope, + filter => $filter, + attrs => ['1.1'] + ); + $message->code + && &verbose( '1', $message->error ) + && return ( $message->code, $message->error ); + $count = $message->count(); + &verbose( '2', "Found $count entries" ); + &verbose( '3', "Leave &get_entries" ); + return ( 0, $count ); +} + +#========================================================================= +# Main +#========================================================================= + +# Options checks +&check_host_param(); +&check_base_param(); +&check_warning_param(); +&check_critical_param(); + +# Default values +$ldap_filter ||= "(objectClass=*)"; +$ldap_scope ||= "sub"; + +my $errorcode; + +# Connect to the directory +# If $host is an URI, use it directly +my $ldap_uri; +if ( $host =~ m#ldap(\+tls)?(s)?://.*# ) { + $ldap_uri = $host; + $ldap_uri .= ":$port" if ( $port and $host !~ m#:(\d)+# ); +} +else { + $ldap_uri = "ldap://$host";; + $ldap_uri .= ":$port" if $port; +} + +my $ldap_server; +( $errorcode, $ldap_server ) = + &get_ldapconn( $ldap_uri, $ldap_binddn, $ldap_bindpw ); +if ($errorcode) { + print "Can't connect to $ldap_uri.\n"; + exit $ERRORS{'UNKNOWN'}; +} + +# Request LDAP +my $nb_entries; +( $errorcode, $nb_entries ) = + &get_entries( $ldap_server, $ldap_base, $ldap_scope, $ldap_filter ); +if ($errorcode) { + print "LDAP search failed: $nb_entries.\n"; + exit $ERRORS{'UNKNOWN'}; +} + +#========================================================================== +# Exit with Nagios codes +#========================================================================== + +# Prepare PerfParse data +my $perfparse = " "; +if ($perf_data) { + $perfparse = "|'entries'=" . $nb_entries . ";$warning;$critical"; +} + +# Test the $nb_entries and exit +if ( $nb_entries < $warning ) { + print + "OK - $nb_entries entries returned (W:$warning - C:$critical)$perfparse"; + exit $ERRORS{'OK'}; +} +elsif ( $nb_entries > $warning and $nb_entries < $critical ) { + print +"WARNING - $nb_entries entries returned (W:$warning - C:$critical)$perfparse"; + exit $ERRORS{'WARNING'}; +} +else { + print +"CRITICAL - $nb_entries entries returned (W:$warning - C:$critical)$perfparse"; + exit $ERRORS{'CRITICAL'}; +} + +exit $ERRORS{'UNKNOWN'}; _______________________________________________ ltb-changes mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-changes
