Debian check_ldaps plugin needs cert permissions
William Edwards | Tuxis Internet Engineering
william at tuxis.nl
Mon Oct 1 12:01:11 CEST 2018
Hello all,
I am using the 'check_ldaps' check that gets shipped with the 'nagios-plugins' package on Debian. The check works fine, but it needs read permissions on the certificate mentioned in /etc/ldap/ldap.conf . I did a bit of stracing. As you can see, the check returns 2 because it cannot read the certificate file. A workaround would be to execute the check command with sudo, but I'm hesitant to do so.
--
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
close(3) = 0
open("/lib/x86_64-linux-gnu/libnsl.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320?\0\0\0\0\0\0"..., 832) = 832
close(3) = 0
open("/lib/x86_64-linux-gnu/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p9\0\0\0\0\0\0"..., 832) = 832
close(3) = 0
open("/usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\343\0\0\0\0\0\0"..., 832) = 832
close(3) = 0
open("/usr/lib/x86_64-linux-gnu/liblber-2.4.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\3001\0\0\0\0\0\0"..., 832) = 832
close(3) = 0
open("/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0Pa\0\0\0\0\0\0"..., 832) = 832
close(3) = 0
open("/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200\r\0\0\0\0\0\0"..., 832) = 832
close(3) = 0
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\4\2\0\0\0\0\0"..., 832) = 832
close(3) = 0
open("/usr/lib/x86_64-linux-gnu/libsasl2.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360-\0\0\0\0\0\0"..., 832) = 832
close(3) = 0
open("/usr/lib/x86_64-linux-gnu/libgnutls.so.30", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\275\2\0\0\0\0\0"..., 832) = 832
close(3) = 0
open("/lib/x86_64-linux-gnu/libz.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300!\0\0\0\0\0\0"..., 832) = 832
close(3) = 0
open("/usr/lib/x86_64-linux-gnu/libp11-kit.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\26\1\0\0\0\0\0"..., 832) = 832
close(3) = 0
open("/lib/x86_64-linux-gnu/libidn.so.11", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 .\0\0\0\0\0\0"..., 832) = 832
close(3) = 0
open("/usr/lib/x86_64-linux-gnu/libtasn1.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20+\0\0\0\0\0\0"..., 832) = 832
close(3) = 0
open("/usr/lib/x86_64-linux-gnu/libnettle.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\225\0\0\0\0\0\0"..., 832) = 832
close(3) = 0
open("/usr/lib/x86_64-linux-gnu/libhogweed.so.4", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000x\0\0\0\0\0\0"..., 832) = 832
close(3) = 0
open("/usr/lib/x86_64-linux-gnu/libgmp.so.10", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200\305\0\0\0\0\0\0"..., 832) = 832
close(3) = 0
open("/usr/lib/x86_64-linux-gnu/libffi.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\31\0\0\0\0\0\0"..., 832) = 832
close(3) = 0
open("/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 3
read(3, "# Dynamic resolv.conf(5) file fo"..., 4096) = 246
read(3, "", 4096) = 0
close(3) = 0
connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
close(3) = 0
connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
close(3) = 0
open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3
read(3, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 497
read(3, "", 4096) = 0
close(3) = 0
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
close(3) = 0
open("/lib/x86_64-linux-gnu/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320!\0\0\0\0\0\0"..., 832) = 832
close(3) = 0
open("/etc/host.conf", O_RDONLY|O_CLOEXEC) = 3
read(3, "multi on\n", 4096) = 9
read(3, "", 4096) = 0
close(3) = 0
open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 3
read(3, "## Ansible managed: /etc/ansible"..., 4096) = 472
read(3, "", 4096) = 0
close(3) = 0
open("/usr/lib/x86_64-linux-gnu/sasl2", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 3
open("/usr/lib/x86_64-linux-gnu/sasl2/libntlm.so", O_RDONLY|O_CLOEXEC) = 4
read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\27\0\0\0\0\0\0"..., 832) = 832
close(4) = 0
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 4
close(4) = 0
open("/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1", O_RDONLY|O_CLOEXEC) = 4
read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\340\7\0\0\0\0\0"..., 832) = 832
close(4) = 0
open("/usr/lib/x86_64-linux-gnu/sasl2/libanonymous.so", O_RDONLY|O_CLOEXEC) = 4
read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000\20\0\0\0\0\0\0"..., 832) = 832
close(4) = 0
open("/usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so", O_RDONLY|O_CLOEXEC) = 4
read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\21\0\0\0\0\0\0"..., 832) = 832
close(4) = 0
open("/usr/lib/x86_64-linux-gnu/sasl2/libplain.so", O_RDONLY|O_CLOEXEC) = 4
read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p\20\0\0\0\0\0\0"..., 832) = 832
close(4) = 0
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 4
close(4) = 0
open("/lib/x86_64-linux-gnu/libcrypt.so.1", O_RDONLY|O_CLOEXEC) = 4
read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p\v\0\0\0\0\0\0"..., 832) = 832
close(4) = 0
open("/usr/lib/x86_64-linux-gnu/sasl2/libsasldb.so", O_RDONLY|O_CLOEXEC) = 4
read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\23\0\0\0\0\0\0"..., 832) = 832
close(4) = 0
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 4
close(4) = 0
open("/usr/lib/x86_64-linux-gnu/libdb-5.3.so", O_RDONLY|O_CLOEXEC) = 4
read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000\347\2\0\0\0\0\0"..., 832) = 832
close(4) = 0
open("/usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so", O_RDONLY|O_CLOEXEC) = 4
read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\31\0\0\0\0\0\0"..., 832) = 832
close(4) = 0
open("/usr/lib/x86_64-linux-gnu/sasl2/liblogin.so", O_RDONLY|O_CLOEXEC) = 4
read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000\20\0\0\0\0\0\0"..., 832) = 832
close(4) = 0
close(3) = 0
open("/usr/lib/sasl2", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 3
close(3) = 0
open("/etc/ldap/ldap.conf", O_RDONLY) = 3
read(3, "#\n# LDAP Defaults\n#\n\n# See ldap."..., 4096) = 414
read(3, "", 4096) = 0
close(3) = 0
open("/opt/sensu/ldaprc", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/opt/sensu/.ldaprc", O_RDONLY) = -1 ENOENT (No such file or directory)
open("ldaprc", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 3
read(3, "# Dynamic resolv.conf(5) file fo"..., 4096) = 246
read(3, "", 4096) = 0
close(3) = 0
open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 3
read(3, "## Ansible managed: /etc/ansible"..., 4096) = 472
read(3, "", 4096) = 0
close(3) = 0
open("/etc/gai.conf", O_RDONLY|O_CLOEXEC) = 3
read(3, "# Configuration for getaddrinfo("..., 4096) = 2584
read(3, "", 4096) = 0
close(3) = 0
close(3) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(636), sin_addr=inet_addr("127.0.0.1")}, 16) = 0
close(3) = 0
connect(3, {sa_family=AF_INET6, sin6_port=htons(636), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=htonl(0), sin6_scope_id=0}, 28) = 0
close(3) = 0
connect(3, {sa_family=AF_INET6, sin6_port=htons(636), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=htonl(0), sin6_scope_id=0}, 28) = 0
open("/etc/samba/tls/cert.pem", O_RDONLY) = -1 EACCES (Permission denied)
write(1, "Could not bind to the LDAP serve"..., 34Could not bind to the LDAP server
) = 34
+++ exited with 2 +++
--
My questions:
- Why does the 'check_ldaps' plugin need permissions for the certificate check?
- Is there a workaround without having to grant permissions or use `sudo`?
Met vriendelijke groet,
William Edwards
Tuxis Internet Engineering
E. info at tuxis.nl
T. 0318 - 200 208
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-plugins.org/archive/help/attachments/20181001/0173a2ea/attachment-0001.html>
More information about the Help
mailing list