Im using netapp template in checkmk and i received that there is ldap communication using this template

rmamdoouh · August 24, 2023, 11:33am

im using netapp template in checkmk and i received that there is ldap communication using this template not ldaps however i have other templates and no notification i received for ldap
so what is the problem here

aeckstein · August 25, 2023, 6:46am

Hi,

with the given Information it is quite impossible to help you. Could you please clarify

What checkmk version are you using?
What do you mean with Template ?
What NetApp checks are you using ?
What is the type of NetApp Storage?
Are you synchronising AD or LDAP Users in checkmk?
Are you using active checks like check_ldap ?
Is the ldap traffic specifically going to the NetApp?

The standard checks for NetApp are either using the old Web API or https/Rest and I don’t see any reason, why there should be any ldap/s traffic going to the NetApp. Maybe this is the LDAP connection to synchronize Users from Active Directory or another LDAP source.
If there is really LDAP traffic going to the NetApp, this might be misconfiguration in checkmk, for example a misconfigured check_ldap plugin.

rmamdoouh · August 26, 2023, 8:26am

the Template here is Netaap using Web ,

the Tool it self authenticate with ldaps , however i got that there is ldap communication send to storage , how to check that the problem may be in pulgin it self

Anders · August 26, 2023, 10:31am

That is a rule, not a template and its for netapp storage, not ldap or ldaps
Whatever the Netapp ZAPI are using for auth is nothing checkmk knows about.

rmamdoouh · August 26, 2023, 11:06am

The netapp it self it configured to use ldaps , im afraid that this rule use plugin use ldap instead od ldaps is there any log i can check what are the commands running bu this rule

Anders · August 26, 2023, 2:08pm

You can debug the Netapp special agent, the rule even tells you HOW you do that.
IIRC it uses the ZAPI and has Basic Auth, checkmk does not do ldap OR ldaps as all!
What version of Ontap are you using??

rmamdoouh · August 26, 2023, 2:32pm

Version: NetApp Release 9.11.1P10: Thu May 25 12:28:26 UTC 2023

and the storage configured to use ldaps

aeckstein · August 26, 2023, 5:53pm

I also see no reason for any LDAP traffic. The ontap API is using https/443.

Where was the LDAP traffic recorded/found?

Is the checkmk server running other services than checkmk?

Can you show the output of

cmk -D <Hostname of NetApp> (remove Passwords)

Maybe it helps to run tcpdump on the checkmk server and filter for LDAP Ports 389/636 and the NetApp IP, to inspect the traffic and see direction and interval of the connections.

rmamdoouh · August 27, 2023, 7:36am

we have active directory logs which send to us some logs for ldap communication and it mention that the account used by the netapp rule make some ldap communication

rmamdoouh · August 27, 2023, 7:40am

test1.txt (141.1 KB)

rmamdoouh · August 27, 2023, 7:41am

i attach for you file called test1 which contain cmk -D output

andreas-doehler · August 27, 2023, 11:11am

At the moment of you agent call the Netapp must do a LDAP communication to your AD.
The origin of the communication is not the CMK server but the Netapp.

Your “cmk -D” output looks fine.

rmamdoouh · August 27, 2023, 11:26am

so is it a problem in the storage it self ? as its configured by ldaps settings ?

is there any debug in storage we can make to check the command run on it using ldap as we cant find anything in log

aeckstein · August 27, 2023, 12:09pm

I think what you describe is “works as designed”. You are using a Domain User in the checkmk special agent to authenticate against the NetApp and the NetApp forwards the authentication request to your Active Directory via LDAP.

rmamdoouh · August 27, 2023, 12:21pm

yes i use domain account in the agent and it should authinticate using ldaps as the storage it self setuped using ldaps , so why the storage forware the authentication to AD using ldap ? this is the question as this dont meet siemens meausre plan

aeckstein · August 27, 2023, 12:34pm

If you are using a Domain Account, this is just how authentication works in that case. The password of the Domain Account is not stored on the NetApp storage but has to be verified against the AD.

If you dont want that, create a local Monitoring User on the NetApp with minimal permissions.

rmamdoouh · August 27, 2023, 12:51pm

Yes why it use ldap not ldaps while verfication i dont want to use local account as this may not meet siemens meausre plan

rmamdoouh · August 27, 2023, 1:08pm

i mean i need this cerification done using ldaps as this is already configured i tool and storage as well

andreas-doehler · August 27, 2023, 1:30pm

Why your Netapp uses LDAP instead of LDAPS to the AD can only answer your Netapp specialist, who knows the configuration of your system.
A local read only account is better than an account that can be used network wide.

rmamdoouh · August 27, 2023, 1:49pm

so you mean its for sure storage issue correct ? as i come to storage team they mention tool issue as the storage configured with ldaps