[Nagiosplug-devel] Suggestion for check_ldap to work with self-signed certificates

Mike Hansen mikelhansen2000 at gmail.com
Thu Apr 11 20:35:55 CEST 2013

Nagios Plugin Suggestion for check_ldap:

Would it be possible to modify the check_ldap plugin to allow self-signed
certificates to not return an error and to return an error when certificates
are close to expiring?

Our situation:
1. Our IT department uses a global LDAP server that uses self-signed
2. Our Apache web servers which we use for authentication are not picky and
3. When the self-signed certificate expired this morning our web
applications quit working. With the plugin as currently working I would
still have to check the Apache SSL error logs to find out that the LDAP
server was the culprit.

1. Add something like "--allow_self_signed" so that check_ldap can connect
and return OK for LDAP servers that use self-signed certificates.
2. Add an option such as "-C" that is similar to the check_http "-C" which
checks for the number of days before a certificate is going to expire?
(Adding this option is an additional check that we do for our webservers.
One check_http to check if a webpage returns an error and another check_http
to check for when the SSL certificate is going to expire.)

Here is the command-line I'm using:

./check_ldaps -H -b dc=students,dc=msu,dc=edu -D
ldapquery at students.msu.edu -P XXXXXXX -v -p 636 -S

Here is the response I get with verbose (-v) set:

ldap_bind: Can't contact LDAP server (-1)
        additional info: TLS error -8179:Peer's Certificate issuer is not
Could not bind to the LDAP server

Here is the response I get with no verbose (-v) set:

Could not bind to the LDAP server

Our server information:
  CentOS 6.4
  Nagios 3.2.3
  check_ldap v1.4.16 (nagios-plugins 1.4.16)


Mike Hansen

More information about the Devel mailing list