[Nagiosplug-devel] [ nagiosplug-Bugs-2550254 ] check_ldap with starttls requires hostname to match cert nam

SourceForge.net noreply at sourceforge.net
Wed Feb 27 23:33:12 CET 2013


Bugs item #2550254, was opened at 2009-01-30 12:54
Message generated for change (Comment added) made by fleish
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=2550254&group_id=29880

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: General plugin execution
Group: Release (specify)
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Jan Wagner (cyco_dd)
Assigned to: Nobody/Anonymous (nobody)
Summary: check_ldap with starttls requires hostname to match cert nam

Initial Comment:
Version: 1.4.10-1

The following Bugreport we got against our debian package:

Serverside: slapd 2.4.7-3 with TLS (not ldaps) enabled.  It's running on a VM with a hostname of 'utilserver.domain.org', and its SSL cert has a CN of 'utilserver', since usually only internal users interact with it.

$ /usr/lib/nagios/plugins/check_ldap -T -H utilserver -b `grep BASE /etc/ldap/ldap.conf| awk '{print $2}'`
LDAP OK - 0.041 seconds response time|time=0.040605s;;;0.000000
$ host utilserver
utilserver.domain.org has address 192.168.20.20
$ /usr/lib/nagios/plugins/check_ldap -T -H 192.168.20.20 -b `grep BASE /etc/ldap/ldap.conf| awk '{print $2}'`

Could not init startTLS at port 389!

$ /usr/lib/nagios/plugins/check_ldap -T -H utilserver.domain.org -b `grep BASE /etc/ldap/ldap.conf| awk '{print $2}'`

Could not init startTLS at port 389!


It appears (though I haven't confirmed since my C-fu is weak) that the -T flag co-opts the hostname as specified in the -H and uses that in its TLS handshake.  But that overload is not always good: my nagios checks, which use the FQDN, fail.

Suggestion:
-T is currently a boolean flag.  How about -T [optional hostname for certificate handshake if -H isn't good enough]?  I can't think of anything else you might want after -T, myself.

Thanks!

You can track the bugreport via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463355

Thanks and kind regards, Jan.

----------------------------------------------------------------------

Comment By: Fleish (fleish)
Date: 2013-02-27 14:33

Message:
I have a similar problem with an ldaps server. The below check syntax used
to work fine and was used to validate a pool of ldap servers that all
service the CN "ldap". But since changing over to gnutls from openssl, I
can't specify a numerical IP for -H anymore without getting a TLS error. If
I replace the IP with ldap and put an /etc/hosts entry in place the check
returns successfully. Unfortunately, this means I cannot check the status
of the individual servers directly. I too would appreciate a way to
overcome this. Something like check_http's -H & -I options which allow you
to specify a hostname and a specific IP address seems like it would solve
this

  /usr/local/nagios/libexec/check_ldaps -H 10.x.x.x -S  -3 -t 3 -v
ldap_bind: Can't contact LDAP server (-1)
        additional info: TLS: hostname does not match CN in peer
certificate



----------------------------------------------------------------------

Comment By: jlec (jlec)
Date: 2011-11-29 05:23

Message:
Simple add a -v in your line and you will see that openssl cannot verify
your cert chain. This might relate to 
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/396818
http://rt.openssl.org/Ticket/Display.html?id=977&user=guest&pass=guest

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=2550254&group_id=29880




More information about the Devel mailing list