[Check_mk (english)] check_mk_active-ldap with v3 startTLS - Could not init startTLS at port 389!

Ben_Shade · November 16, 2016, 2:16pm

Have some new ldap servers running v3 and
startTLS.

The ldapsearch command outside of check_mk
works fine e.g.

ldapsearch -LL -v -D “cn=Manager,dc=xxxx,dc=xxxxx,dc=com”
-p 389 -h n000a451.ixxxx.xxxxx.com -b “dc=xxxx,dc=xxxxxxxx,dc=com”
-s sub -x -ZZ “(objectclass=*)” -v -W

ldap_initialize( ldap://n000a451.xxxx.xxxxxxx.com:389
)

Enter LDAP Password:

filter: (objectclass=*)

requesting: All userApplication attributes

version: 1

but inside check_mk it fails

check_mk_active-ldap! -b ‘dc=xxxx,dc=xxxxxx,dc=com’
-t 10 -D ‘cn=Manager,dc=xxxx,dc=xxxxxx,dc=com’ -p 389 -3 -T

gives

Could not init startTLS at port 389!

Now my investigation shows this is probably
due to a certificate issue but only within check_mk. the ca certs are setup
(as shown by the ldapsearch command working).

I think check_mk_active-ldap can’t find
the /etc/openldap/cert dir or /etc/openldap/ldap.conf file, probably due
to an environment variable being ‘missing’

I am using OMD 1.30 (rather then straight
check_mk).

Any suggestions what and how to put
in to make it see the right environment. Maybe a bit like this guy did
for nagios/icinga (https://nagios-plugins.org/archive/help/2011-September/006241.html)
but for check_mk?

Not sure what I need to change here.

Thanks

Ben

For ICDS, AICS, DST, project, infrastructure,
consultancy or cloud support please use the ICDS Task ID : 3ADMTECH@uk.ibm.com

Unless stated otherwise above:

IBM United Kingdom Limited - Registered in England and Wales with number
741598.

Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6
3AU

Jam_Mulch · November 16, 2016, 4:32pm

We normally use 389 for non-ssl/tls connections and 636 for ssl/tls.
Your example suggests that is what ldapsearch is doing as well:
()� NOTE:ldap vs ldaps
You should be able to verify by upping the ldapsearch debug level
and looking for secure connection handshaking.
(or is it the verbose level…or both…don’t remember offhand)

···

ldap://****:389

  On 11/16/2016 09:16 AM, Ben Shade

wrote:

    Have some new ldap
servers running v3 and
startTLS.
          The ldapsearch command outside of
check_mk
works fine e.g.
          ldapsearch -LL �-v -D
“cn=Manager,dc=xxxx,dc=xxxxx,dc=com”
-p 389 -h n000a451.ixxxx.xxxxx.com -b
“dc=xxxx,dc=xxxxxxxx,dc=com”
-s sub -x -ZZ “(objectclass=*)” -v -W
    ldap_initialize(
)
  Enter LDAP Password:


  filter: (objectclass=*)


          requesting: All userApplication
attributes
  version: 1




  but inside check_mk it fails


          check_mk_active-ldap! -b
‘dc=xxxx,dc=xxxxxx,dc=com’
-t 10 -D ‘cn=Manager,dc=xxxx,dc=xxxxxx,dc=com’ �-p 389 -3 -T
  gives


          Could not init startTLS at port
389!
          Now my investigation shows this
is probably
due to a certificate issue but only within check_mk. the ca
certs are setup
(as shown by the ldapsearch command working).
          I think check_mk_active-ldap
can’t find
the /etc/openldap/cert dir or /etc/openldap/ldap.conf file,
probably due
to an environment variable being ‘missing’
          I am using OMD 1.30 (rather then
straight
check_mk).
          Any suggestions what and how to
put
in to make it see the right environment. Maybe a bit like this
guy did
for nagios/icinga (https://nagios-plugins.org/archive/help/2011-September/006241.html )
but for check_mk?
          Not sure what I need to change
here.
  Thanks




  Ben


          For ICDS, AICS, DST, project,
infrastructure,
consultancy or cloud support please use the ICDS Task ID : 3ADMTECH@uk.ibm.com
    Unless stated otherwise above:

    IBM United Kingdom Limited - Registered in England and Wales
with number
741598.
    Registered office: PO Box 41, North Harbour, Portsmouth,
Hampshire PO6
3AU
_______________________________________________
checkmk-en mailing list

ldap://n000a451.xxxx.xxxxxxx.com:389checkmk-en@lists.mathias-kettner.dehttp://lists.mathias-kettner.de/mailman/listinfo/checkmk-en

darin · November 16, 2016, 5:01pm

AD doesn't support STARTTLS so you need to use LDAPS directly.

You can get around the certificate by setting the environment variable
LDAPTLS_REQCERT=allow, which will cause ldapsearch to ignore a "bad"
certificate. See ldap.conf man page for details.

···

--
Later,
Darin

On Wed, Nov 16, 2016 at 9:16 AM, Ben Shade <benjamin_shade@uk.ibm.com> wrote:

Have some new ldap servers running v3 and startTLS.

The ldapsearch command outside of check_mk works fine e.g.

ldapsearch -LL -v -D "cn=Manager,dc=xxxx,dc=xxxxx,dc=com" -p 389 -h
n000a451.ixxxx.xxxxx.com -b "dc=xxxx,dc=xxxxxxxx,dc=com" -s sub -x -ZZ
"(objectclass=*)" -v -W
ldap_initialize( ldap://n000a451.xxxx.xxxxxxx.com:389 )
Enter LDAP Password:
filter: (objectclass=*)
requesting: All userApplication attributes
version: 1

but inside check_mk it fails
check_mk_active-ldap! -b 'dc=xxxx,dc=xxxxxx,dc=com' -t 10 -D
'cn=Manager,dc=xxxx,dc=xxxxxx,dc=com' -p 389 -3 -T
gives
Could not init startTLS at port 389!

Now my investigation shows this is probably due to a certificate issue but
only within check_mk. the ca certs are setup (as shown by the ldapsearch
command working).
I think check_mk_active-ldap can't find the /etc/openldap/cert dir or
/etc/openldap/ldap.conf file, probably due to an environment variable being
'missing'

I am using OMD 1.30 (rather then straight check_mk).

Any suggestions what and how to put in to make it see the right environment.
Maybe a bit like this guy did for nagios/icinga
([Nagiosplug-help] check_ldap tls negotiation failed but only inside Nagios) but for
check_mk?
Not sure what I need to change here.

Thanks

Ben
For ICDS, AICS, DST, project, infrastructure, consultancy or cloud support
please use the ICDS Task ID : 3ADMTECH@uk.ibm.com
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number
741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU

_______________________________________________
checkmk-en mailing list
checkmk-en@lists.mathias-kettner.de
http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en

Ben_Shade · November 17, 2016, 10:00am

Thanks, but the port is correct using 389.
startTLS is used after initial connection (unsecured) to 389 and the startTLS
is initiated. ldaps (636) is deprecated for openldap (not sure I agree
with that but thats a different discussion).

Native linux ldapsearch works as expected…but
checK_mk_active-ldap does not, so I think it is an environment variabe
in checK_mk (omd) that is not set right. Also not sure (for checK_mk_active-ldap)
how to turn on extra debug/verbose levels. I can (and have) turned them
on for ldapsearch but that works fine.

Ben

From:
Jam Mulch spammagnet10@gmail.com

To:
Ben Shade/UK/IBM@IBMGB,
checkmk-en@lists.mathias-kettner.de

Date:
16/11/2016 16:32

Subject:
Re: [Check_mk
(english)] check_mk_active-ldap with v3 startTLS - Could not init startTLS
at port 389!

···

We normally use 389 for non-ssl/tls connections and 636
for ssl/tls.

Your example suggests that is what ldapsearch is doing as well:

(ldap://****:389)
NOTE:ldap vs ldaps

You should be able to verify by upping the ldapsearch debug level and looking
for secure connection handshaking.

(or is it the verbose level…or both…don’t remember offhand)

On 11/16/2016 09:16 AM, Ben Shade wrote:

Have some new ldap servers running v3
and startTLS.

The ldapsearch command outside of check_mk works fine e.g.

ldapsearch -LL -v -D “cn=Manager,dc=xxxx,dc=xxxxx,dc=com”
-p 389 -h n000a451.ixxxx.xxxxx.com -b “dc=xxxx,dc=xxxxxxxx,dc=com”
-s sub -x -ZZ “(objectclass=*)” -v -W

ldap_initialize( ldap://n000a451.xxxx.xxxxxxx.com:389
)

Enter LDAP Password:

filter: (objectclass=*)

requesting: All userApplication attributes

version: 1

but inside check_mk it fails

check_mk_active-ldap! -b ‘dc=xxxx,dc=xxxxxx,dc=com’ -t 10 -D ‘cn=Manager,dc=xxxx,dc=xxxxxx,dc=com’
-p 389 -3 -T

gives

Could not init startTLS at port 389!

Now my investigation shows this is probably due to a certificate issue
but only within check_mk. the ca certs are setup (as shown by the ldapsearch
command working).

I think check_mk_active-ldap can’t find the /etc/openldap/cert dir or /etc/openldap/ldap.conf
file, probably due to an environment variable being ‘missing’

I am using OMD 1.30 (rather then straight check_mk).

Any suggestions what and how to put in to make it see the right environment.
Maybe a bit like this guy did for nagios/icinga (https://nagios-plugins.org/archive/help/2011-September/006241.html)
but for check_mk?

Not sure what I need to change here.

Thanks

Ben

For ICDS, AICS, DST, project, infrastructure, consultancy or cloud support
please use the ICDS Task ID : 3ADMTECH@uk.ibm.com

Unless stated otherwise above:

IBM United Kingdom Limited - Registered in England and Wales with number
741598.

Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6
3AU

`_______________________________________________

checkmk-en mailing list

checkmk-en@lists.mathias-kettner.de

[http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en`](http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en)

Unless stated otherwise above:

IBM United Kingdom Limited - Registered in England and Wales with number
741598.

Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6
3AU

Ben_Shade · November 17, 2016, 10:05am

Thanks, this is not windows/AD but a Redhat
openldap server (and in this particular case a Redhat client) and I have
proven startTLS works in multiple way (ldapsearch including on the same
check_mk/omd server, but I can’t get check_mk_active-ldap to work (and
suspect env variable is the issue). I could try the LDAPTLS_REQCERT=allow
(but don’t want to really leave this on) but even to try it, I am not sure
where the environment variable goes so that check_mk_active-ldap will use
it? (it is not needed for ldap search as that works fine with startTLS)

Any ideas?

Ta

Ben

From:
Darin Perusich darin@darins.net

To:
Ben Shade/UK/IBM@IBMGB

Cc:
“checkmk-en@lists.mathias-kettner.de”
checkmk-en@lists.mathias-kettner.de

Date:
16/11/2016 17:01

Subject:
Re: [Check_mk
(english)] check_mk_active-ldap with v3 startTLS - Could not init startTLS
at port 389!

···

`AD doesn’t support STARTTLS so you need to use LDAPS
directly.

You can get around the certificate by setting the environment variable

LDAPTLS_REQCERT=allow, which will cause ldapsearch to ignore a “bad”

certificate. See ldap.conf man page for details.

–

Later,

Darin

On Wed, Nov 16, 2016 at 9:16 AM, Ben Shade benjamin_shade@uk.ibm.com wrote:

Have some new ldap servers running v3 and startTLS.

The ldapsearch command outside of check_mk works fine e.g.

ldapsearch -LL -v -D “cn=Manager,dc=xxxx,dc=xxxxx,dc=com”
-p 389 -h

n000a451.ixxxx.xxxxx.com -b “dc=xxxx,dc=xxxxxxxx,dc=com”
-s sub -x -ZZ

“(objectclass=*)” -v -W

ldap_initialize( ldap://n000a451.xxxx.xxxxxxx.com:389 )

Enter LDAP Password:

filter: (objectclass=*)

requesting: All userApplication attributes

version: 1

but inside check_mk it fails

check_mk_active-ldap! -b ‘dc=xxxx,dc=xxxxxx,dc=com’ -t 10 -D

‘cn=Manager,dc=xxxx,dc=xxxxxx,dc=com’ -p 389 -3 -T

gives

Could not init startTLS at port 389!

Now my investigation shows this is probably due to a certificate issue
but

only within check_mk. the ca certs are setup (as shown by the ldapsearch

command working).

I think check_mk_active-ldap can’t find the /etc/openldap/cert dir
or

/etc/openldap/ldap.conf file, probably due to an environment variable
being

‘missing’

I am using OMD 1.30 (rather then straight check_mk).

Any suggestions what and how to put in to make it see the right environment.

Maybe a bit like this guy did for nagios/icinga

([https://nagios-plugins.org/archive/help/2011-September/006241.html`]([Nagiosplug-help] check_ldap tls negotiation failed but only inside Nagios)`)
but for

check_mk?

Not sure what I need to change here.

Thanks

Ben

For ICDS, AICS, DST, project, infrastructure, consultancy or cloud
support

please use the ICDS Task ID : 3ADMTECH@uk.ibm.com

Unless stated otherwise above:

IBM United Kingdom Limited - Registered in England and Wales with
number

Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire
PO6 3AU

checkmk-en mailing list

checkmk-en@lists.mathias-kettner.de

[http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en`](http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en)`

`

Unless stated otherwise above:

IBM United Kingdom Limited - Registered in England and Wales with number
741598.

Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6
3AU

Ben_Shade · November 17, 2016, 1:43pm

Did a bit of command line checking and
using

./check_ldap -v -H n000a451 -b
‘dc=xxxx,dc=xxxxxxxxx,dc=com’ -t 10 -p 636 -3

it fails with

ldap_bind: Can’t contact LDAP server
(-1)

additional info: TLS: hostname
does not match CN in peer certificate

Could not bind to the LDAP server

but

./check_ldap -v -H n000a451.xxxx.xxxxxxxx.com
-b ‘dc=xxxx,dc=xxxxxxxxx,dc=com’ -t 10 -p 636 -3

(i.e FQDN) works.

So the shortname passed from check_mk
as the hostname will always fail, unless I can get it to pass the FQDN
(which check_mk does not know I don’t think - unless I add a field)

So looks like a change needed in check_mk
(to allow the WATO/GUI configuration to do this, and potentially have the
FQDN) and (nagios) check_ldap to get this to work with new arguements

Will look at other ways of doing this…probably
a simpler check of some kind.

Ben

From:
Ben Shade/UK/IBM@IBMGB

To:
Darin Perusich darin@darins.net

Cc:
“checkmk-en@lists.mathias-kettner.de”
checkmk-en@lists.mathias-kettner.de

Date:
17/11/2016 10:06

Subject:
Re: [Check_mk
(english)] check_mk_active-ldap with v3 startTLS - Could not init startTLS
at port 389!

Sent by:
checkmk-en-bounces@lists.mathias-kettner.de

···

Thanks, this is not windows/AD but a
Redhat openldap server (and in this particular case a Redhat client) and
I have proven startTLS works in multiple way (ldapsearch including on the
same check_mk/omd server, but I can’t get check_mk_active-ldap to work
(and suspect env variable is the issue). I could try the LDAPTLS_REQCERT=allow
(but don’t want to really leave this on) but even to try it, I am not sure
where the environment variable goes so that check_mk_active-ldap will use
it? (it is not needed for ldap search as that works fine with startTLS)

Any ideas?

Ta

Ben

From: Darin
Perusich darin@darins.net

To: Ben
Shade/UK/IBM@IBMGB

Cc: “checkmk-en@lists.mathias-kettner.de”
checkmk-en@lists.mathias-kettner.de

Date: 16/11/2016
17:01

Subject: Re:
[Check_mk (english)] check_mk_active-ldap with v3 startTLS - Could not
init startTLS at port 389!

`

AD doesn’t support STARTTLS so you need to use LDAPS directly.

You can get around the certificate by setting the environment variable

LDAPTLS_REQCERT=allow, which will cause ldapsearch to ignore a “bad”

certificate. See ldap.conf man page for details.

–

Later,

Darin

On Wed, Nov 16, 2016 at 9:16 AM, Ben Shade benjamin_shade@uk.ibm.com wrote:

Have some new ldap servers running v3 and startTLS.

The ldapsearch command outside of check_mk works fine e.g.

ldapsearch -LL -v -D “cn=Manager,dc=xxxx,dc=xxxxx,dc=com”
-p 389 -h

n000a451.ixxxx.xxxxx.com -b “dc=xxxx,dc=xxxxxxxx,dc=com”
-s sub -x -ZZ

“(objectclass=*)” -v -W

ldap_initialize( ldap://n000a451.xxxx.xxxxxxx.com:389 )

Enter LDAP Password:

filter: (objectclass=*)

requesting: All userApplication attributes

version: 1

but inside check_mk it fails

check_mk_active-ldap! -b ‘dc=xxxx,dc=xxxxxx,dc=com’ -t 10 -D

‘cn=Manager,dc=xxxx,dc=xxxxxx,dc=com’ -p 389 -3 -T

gives

Could not init startTLS at port 389!

Now my investigation shows this is probably due to a certificate issue
but

only within check_mk. the ca certs are setup (as shown by the ldapsearch

command working).

I think check_mk_active-ldap can’t find the /etc/openldap/cert dir
or

/etc/openldap/ldap.conf file, probably due to an environment variable
being

‘missing’

I am using OMD 1.30 (rather then straight check_mk).

Any suggestions what and how to put in to make it see the right environment.

Maybe a bit like this guy did for nagios/icinga

([https://nagios-plugins.org/archive/help/2011-September/006241.html`]([Nagiosplug-help] check_ldap tls negotiation failed but only inside Nagios)`)
but for

check_mk?

Not sure what I need to change here.

Thanks

Ben

For ICDS, AICS, DST, project, infrastructure, consultancy or cloud
support

please use the ICDS Task ID : 3ADMTECH@uk.ibm.com

Unless stated otherwise above:

IBM United Kingdom Limited - Registered in England and Wales with
number

Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire
PO6 3AU

checkmk-en mailing list

checkmk-en@lists.mathias-kettner.de

[http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en`](http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en)`

`

Unless stated otherwise above:

IBM United Kingdom Limited - Registered in England and Wales with number
741598.

Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6
3AU`_______________________________________________

checkmk-en mailing list

checkmk-en@lists.mathias-kettner.de

[http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en`](http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en)

Unless stated otherwise above:

IBM United Kingdom Limited - Registered in England and Wales with number
741598.

Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6
3AU

Ben_Shade · November 17, 2016, 1:51pm

So…simplest fix is to stop checking the
cert so add

TLS_REQCERT never

to the end of /etc/openldap/ldap.conf

So the check now ignore the certificate
‘issues’ (not good but better than failing) but is now green/OK.

Hope that helps someone else.

Ben

From:
Ben Shade/UK/IBM@IBMGB

To:
checkmk-en@lists.mathias-kettner.de

Date:
17/11/2016 13:44

Subject:
Re: [Check_mk
(english)] check_mk_active-ldap with v3 startTLS - Could not init startTLS
at port 389!

Sent by:
checkmk-en-bounces@lists.mathias-kettner.de

···

Did a bit of command line checking and
using

./check_ldap -v -H n000a451 -b ‘dc=xxxx,dc=xxxxxxxxx,dc=com’ -t 10 -p
636 -3

it fails with

ldap_bind: Can’t contact LDAP server (-1)

additional info: TLS: hostname does not match CN in peer certificate

Could not bind to the LDAP server

but

./check_ldap -v -H n000a451.xxxx.xxxxxxxx.com -b ‘dc=xxxx,dc=xxxxxxxxx,dc=com’
-t 10 -p 636 -3

(i.e FQDN) works.

So the shortname passed from check_mk as the hostname will always fail,
unless I can get it to pass the FQDN (which check_mk does not know I don’t
think - unless I add a field)

So looks like a change needed in check_mk (to allow the WATO/GUI configuration
to do this, and potentially have the FQDN) and (nagios) check_ldap to get
this to work with new arguements

Will look at other ways of doing this…probably a simpler check of some
kind.

Ben

From: Ben
Shade/UK/IBM@IBMGB

To: Darin
Perusich darin@darins.net

Cc: “checkmk-en@lists.mathias-kettner.de”
checkmk-en@lists.mathias-kettner.de

Date: 17/11/2016
10:06

Subject: Re:
[Check_mk (english)] check_mk_active-ldap with v3 startTLS - Could not
init startTLS at port 389!

Sent by: checkmk-en-bounces@lists.mathias-kettner.de

Thanks, this is not windows/AD but a Redhat openldap server (and in this
particular case a Redhat client) and I have proven startTLS works in multiple
way (ldapsearch including on the same check_mk/omd server, but I can’t
get check_mk_active-ldap to work (and suspect env variable is the issue).
I could try the LDAPTLS_REQCERT=allow (but don’t want to really leave this
on) but even to try it, I am not sure where the environment variable goes
so that check_mk_active-ldap will use it? (it is not needed for ldap search
as that works fine with startTLS)

Any ideas?

Ta

Ben

From: Darin
Perusich darin@darins.net

To: Ben
Shade/UK/IBM@IBMGB

Cc: “checkmk-en@lists.mathias-kettner.de”
checkmk-en@lists.mathias-kettner.de

Date: 16/11/2016
17:01

Subject: Re:
[Check_mk (english)] check_mk_active-ldap with v3 startTLS - Could not
init startTLS at port 389!

`

AD doesn’t support STARTTLS so you need to use LDAPS directly.

You can get around the certificate by setting the environment variable

LDAPTLS_REQCERT=allow, which will cause ldapsearch to ignore a “bad”

certificate. See ldap.conf man page for details.

–

Later,

Darin

On Wed, Nov 16, 2016 at 9:16 AM, Ben Shade benjamin_shade@uk.ibm.com wrote:

Have some new ldap servers running v3 and startTLS.

The ldapsearch command outside of check_mk works fine e.g.

ldapsearch -LL -v -D “cn=Manager,dc=xxxx,dc=xxxxx,dc=com”
-p 389 -h

n000a451.ixxxx.xxxxx.com -b “dc=xxxx,dc=xxxxxxxx,dc=com”
-s sub -x -ZZ

“(objectclass=*)” -v -W

ldap_initialize( ldap://n000a451.xxxx.xxxxxxx.com:389 )

Enter LDAP Password:

filter: (objectclass=*)

requesting: All userApplication attributes

version: 1

but inside check_mk it fails

check_mk_active-ldap! -b ‘dc=xxxx,dc=xxxxxx,dc=com’ -t 10 -D

‘cn=Manager,dc=xxxx,dc=xxxxxx,dc=com’ -p 389 -3 -T

gives

Could not init startTLS at port 389!

Now my investigation shows this is probably due to a certificate issue
but

only within check_mk. the ca certs are setup (as shown by the ldapsearch

command working).

I think check_mk_active-ldap can’t find the /etc/openldap/cert dir
or

/etc/openldap/ldap.conf file, probably due to an environment variable
being

‘missing’

I am using OMD 1.30 (rather then straight check_mk).

Any suggestions what and how to put in to make it see the right environment.

Maybe a bit like this guy did for nagios/icinga

([https://nagios-plugins.org/archive/help/2011-September/006241.html`]([Nagiosplug-help] check_ldap tls negotiation failed but only inside Nagios)`)
but for

check_mk?

Not sure what I need to change here.

Thanks

Ben

For ICDS, AICS, DST, project, infrastructure, consultancy or cloud
support

please use the ICDS Task ID : 3ADMTECH@uk.ibm.com

Unless stated otherwise above:

IBM United Kingdom Limited - Registered in England and Wales with
number

Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire
PO6 3AU

checkmk-en mailing list

checkmk-en@lists.mathias-kettner.de

[http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en`](http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en)

Unless stated otherwise above:

IBM United Kingdom Limited - Registered in England and Wales with number
741598.

Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6
3AU`_______________________________________________

checkmk-en mailing list

checkmk-en@lists.mathias-kettner.de`

http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en

Unless stated otherwise above:

IBM United Kingdom Limited - Registered in England and Wales with number
741598.

Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6
3AU`_______________________________________________

checkmk-en mailing list

checkmk-en@lists.mathias-kettner.de

[http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en`](http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en)

Unless stated otherwise above:

IBM United Kingdom Limited - Registered in England and Wales with number
741598.

Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6
3AU

darin · November 17, 2016, 5:17pm

Setting that globally is probably a BAD idea, then your server will
implicitly trust all certificates even if they are bad. In the OMD or
Nagios users home directory create a ldaprc or .ldaprc and set
TLS_REQCERT=allow|never|try so it only applies to that users sessions,
and doesn't potentially compromise your server. See the man page for
ldap.conf for all the details.

···

--
Later,
Darin

On Thu, Nov 17, 2016 at 8:51 AM, Ben Shade <benjamin_shade@uk.ibm.com> wrote:

So...simplest fix is to stop checking the cert so add

TLS_REQCERT never

to the end of /etc/openldap/ldap.conf

So the check now ignore the certificate 'issues' (not good but better than
failing) but is now green/OK.

Hope that helps someone else.

Ben

From: Ben Shade/UK/IBM@IBMGB
To: checkmk-en@lists.mathias-kettner.de
Date: 17/11/2016 13:44
Subject: Re: [Check_mk (english)] check_mk_active-ldap with v3
startTLS - Could not init startTLS at port 389!
Sent by: checkmk-en-bounces@lists.mathias-kettner.de
________________________________

Did a bit of command line checking and using

./check_ldap -v -H n000a451 -b 'dc=xxxx,dc=xxxxxxxxx,dc=com' -t 10 -p 636 -3

it fails with

ldap_bind: Can't contact LDAP server (-1)
additional info: TLS: hostname does not match CN in peer certificate
Could not bind to the LDAP server

but

./check_ldap -v -H n000a451.xxxx.xxxxxxxx.com -b
'dc=xxxx,dc=xxxxxxxxx,dc=com' -t 10 -p 636 -3

(i.e FQDN) works.

So the shortname passed from check_mk as the hostname will always fail,
unless I can get it to pass the FQDN (which check_mk does not know I don't
think - unless I add a field)

So looks like a change needed in check_mk (to allow the WATO/GUI
configuration to do this, and potentially have the FQDN) and (nagios)
check_ldap to get this to work with new arguements

Will look at other ways of doing this...probably a simpler check of some
kind.

Ben

From: Ben Shade/UK/IBM@IBMGB
To: Darin Perusich <darin@darins.net>
Cc: "checkmk-en@lists.mathias-kettner.de"
<checkmk-en@lists.mathias-kettner.de>
Date: 17/11/2016 10:06
Subject: Re: [Check_mk (english)] check_mk_active-ldap with v3
startTLS - Could not init startTLS at port 389!
Sent by: checkmk-en-bounces@lists.mathias-kettner.de
________________________________

Thanks, this is not windows/AD but a Redhat openldap server (and in this
particular case a Redhat client) and I have proven startTLS works in
multiple way (ldapsearch including on the same check_mk/omd server, but I
can't get check_mk_active-ldap to work (and suspect env variable is the
issue). I could try the LDAPTLS_REQCERT=allow (but don't want to really
leave this on) but even to try it, I am not sure where the environment
variable goes so that check_mk_active-ldap will use it? (it is not needed
for ldap search as that works fine with startTLS)

Any ideas?

Ta

Ben

From: Darin Perusich <darin@darins.net>
To: Ben Shade/UK/IBM@IBMGB
Cc: "checkmk-en@lists.mathias-kettner.de"
<checkmk-en@lists.mathias-kettner.de>
Date: 16/11/2016 17:01
Subject: Re: [Check_mk (english)] check_mk_active-ldap with v3
startTLS - Could not init startTLS at port 389!
________________________________

AD doesn't support STARTTLS so you need to use LDAPS directly.

You can get around the certificate by setting the environment variable
LDAPTLS_REQCERT=allow, which will cause ldapsearch to ignore a "bad"
certificate. See ldap.conf man page for details.

--
Later,
Darin

On Wed, Nov 16, 2016 at 9:16 AM, Ben Shade <benjamin_shade@uk.ibm.com> > wrote:

Have some new ldap servers running v3 and startTLS.

The ldapsearch command outside of check_mk works fine e.g.

ldapsearch -LL -v -D "cn=Manager,dc=xxxx,dc=xxxxx,dc=com" -p 389 -h
n000a451.ixxxx.xxxxx.com -b "dc=xxxx,dc=xxxxxxxx,dc=com" -s sub -x -ZZ
"(objectclass=*)" -v -W
ldap_initialize( ldap://n000a451.xxxx.xxxxxxx.com:389 )
Enter LDAP Password:
filter: (objectclass=*)
requesting: All userApplication attributes
version: 1

but inside check_mk it fails
check_mk_active-ldap! -b 'dc=xxxx,dc=xxxxxx,dc=com' -t 10 -D
'cn=Manager,dc=xxxx,dc=xxxxxx,dc=com' -p 389 -3 -T
gives
Could not init startTLS at port 389!

Now my investigation shows this is probably due to a certificate issue but
only within check_mk. the ca certs are setup (as shown by the ldapsearch
command working).
I think check_mk_active-ldap can't find the /etc/openldap/cert dir or
/etc/openldap/ldap.conf file, probably due to an environment variable
being
'missing'

I am using OMD 1.30 (rather then straight check_mk).

Any suggestions what and how to put in to make it see the right
environment.
Maybe a bit like this guy did for nagios/icinga
([Nagiosplug-help] check_ldap tls negotiation failed but only inside Nagios) but
for
check_mk?
Not sure what I need to change here.

Thanks

Ben
For ICDS, AICS, DST, project, infrastructure, consultancy or cloud support
please use the ICDS Task ID : 3ADMTECH@uk.ibm.com
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number
741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU

_______________________________________________
checkmk-en mailing list
checkmk-en@lists.mathias-kettner.de
http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en

Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number
741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6
3AU_______________________________________________
checkmk-en mailing list
checkmk-en@lists.mathias-kettner.de
http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en

Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number
741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6
3AU_______________________________________________
checkmk-en mailing list
checkmk-en@lists.mathias-kettner.de
http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en

Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number
741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU

_______________________________________________
checkmk-en mailing list
checkmk-en@lists.mathias-kettner.de
http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en