LDAPS question

Parker Anderson baka.rob at gmail.com
Fri Jan 19 19:01:44 CET 2007


On 1/19/07, Formoso, Travis <Travis.Formoso at blueslate.net> wrote:
> Hello,
>
> I am trying to monitor LDAPS on my server and I am using this command: ./check_ldaps -H mars.blueslate.net -b o=scalix -p 636
>
> I get the following error: Could not bind to the ldap-server

Have you checked the LDAP daemon logs on the server for any errors /
entries as you run check_ldaps against it?  Is the server / stunnel
sending out self-signed, expired, or otherwise[-invalid/-untrusted]
credentials?  Have you used any other clients to verify that LDAPS is
functional?

By checking the certificate with openssl, I can see that the
certificate isn't in my default trusted certificate authority list
(checked on Redhat Enterprise Linux AS4 Update 4):

$ openssl s_client -connect 66.194.182.14:636
CONNECTED(00000003)
depth=0 /O=mail.blueslate.net/OU=Domain Control Validated/CN=mail.blueslate.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /O=mail.blueslate.net/OU=Domain Control Validated/CN=mail.blueslate.net
verify error:num=27:certificate not trusted
verify return:1
depth=0 /O=mail.blueslate.net/OU=Domain Control Validated/CN=mail.blueslate.net
verify error:num=21:unable to verify the first certificate
verify return:1

So maybe there is an issue there?  I don't use check_ldaps (we just
have a test implementation of OpenLDAP going at work; Nagios isn't
running against it yet), but I know that there are client-side hoops
to jump through if you are using a certificate signed by [someone
other than Verisign or a handful of authorities].  I hope that helps a
bit, or at least gives you something else to look into!

>
> When monitoring LDAP it worked fine using: ./check_ldap -H mars.blueslate.net -b o=scalix
> LDAP OK - 0.228 seconds response time|time=0.227919s;;;0.000000
>
> We are using stunnel to implement LDAPS on port 636.
>
>
>
>
> This e-mail and any files transmitted with it are for the sole use of
> Blue Slate Solutions and the intended recipient(s) and may contain
> confidential and privileged information. If you are not the intended
> recipient, please contact the sender by reply e-mail and destroy all
> copies of the original message. Any unauthorized review, use,
> disclosure, dissemination, forwarding, printing or copying of this email
> or any action taken in reliance on this e-mail is strictly prohibited
> and may be unlawful.
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
> ::: Messages without supporting info will risk being sent to /dev/null
>

Sincerely,
-Parker

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list