[Nagiosplug-devel] Suggestion for check_ldap to work with self-signed certificates

[Mike Hansen]

Nagios Plugin Suggestion for check_ldap:

Would it be possible to modify the check_ldap plugin to allow self-signed
certificates to not return an error and to return an error when certificates
are close to expiring?

Our situation:
1. Our IT department uses a global LDAP server that uses self-signed
certificates.
2. Our Apache web servers which we use for authentication are not picky and
work.
3. When the self-signed certificate expired this morning our web
applications quit working. With the plugin as currently working I would
still have to check the Apache SSL error logs to find out that the LDAP
server was the culprit.

Suggestions:
1. Add something like "--allow_self_signed" so that check_ldap can connect
and return OK for LDAP servers that use self-signed certificates.
2. Add an option such as "-C" that is similar to the check_http "-C" which
checks for the number of days before a certificate is going to expire?
(Adding this option is an additional check that we do for our webservers.
One check_http to check if a webpage returns an error and another check_http
to check for when the SSL certificate is going to expire.)

Here is the command-line I'm using:

./check_ldaps -H 10.6.9.33 -b dc=students,dc=msu,dc=edu -D
ldapquery at students.msu.edu -P XXXXXXX -v -p 636 -S

Here is the response I get with verbose (-v) set:

ldap_bind: Can't contact LDAP server (-1)
        additional info: TLS error -8179:Peer's Certificate issuer is not
recognized.
Could not bind to the LDAP server

Here is the response I get with no verbose (-v) set:

Could not bind to the LDAP server


Our server information:
  CentOS 6.4
  Nagios 3.2.3
  check_ldap v1.4.16 (nagios-plugins 1.4.16)


Thanks,

Mike Hansen