check_ldaps problems with startTLS

[Steve Shipway]

I'm having problems in making check_ldap work with our SSL LDAP servers.
I'm trying to do an authenticated bind, with TLS, but the TLS can never
start.

./check_ldaps -H ecedir-01.ec -b ou=ec,o=uoa -D
cn=yyyyyyyy,ou=webapps,ou=ec,o=uoa -P xxxxxx
Could not init startTLS at port 389: Connect error

This is nagios-plugins v1.4 with a slightly enhanced error output.  I have
softlinked check_ldaps->check_ldap as required.

I can successfully perform an anonymous bind without SSL

./check_ldap -H ecedir-01.ec -b ou=ec,o=uoa
LDAP OK - 0.282 seconds response time|time=0.281768s;;;0.000000

but out server does not permit authenticated binds unless you use SSL, and
if you use SSL, then you must authenticate.

./check_ldap -H ecedir-01.ec -b o=uoa -D cn=yyyyyyyyy,ou=webapps,ou=ec,o=uoa
-P xxxxxxx
Could not bind to the ldap-server: Confidentiality required

Now this would seem to indicate that the SSL is somehow screwed; however the
OpenSSL is working fine for ssh and other applications.  The compile of
check_ldap was also done on this machine and the configure process went
through cleanly.

It's not a bad password; it doesn't get that far.  It fails in the StartTLS,
for which I (inconveniently) have no documentation.

Does anyone have any ideas what the problem could be?  Hopefully, I am
merely doing something amazingly stupid which is easy to correct :)

Thanks in advance,

Steve

---
Steve Shipway: ITSS, University of Auckland
Email: s.shipway at auckland.ac.nz  Web: http://www.steveshipway.org/  
** We can only discover new oceans when we have the **
** courage to lose sight of the shore.              **
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Steve Shipway.vcf
Type: text/x-vcard
Size: 154 bytes
Desc: not available
URL: <https://www.monitoring-lists.org/archive/users/attachments/20050215/006fac87/attachment.vcf>