Hi,
I have a problem with the following active check: Check LDAP Access
The check is working well with the following configuration:
LDAP V3 (Port 389).
When I change the parameters to LDAPs ( and Port 636) the CheckResult is “Could not bind to server”.
The “strange” thing is, that the UserAuthentification is working perfectly (LDAPs V3, Port 636).
Does anyone have a hint where to start troubleshooting?
Regards
Thomas
I am using CheckMK Raw 1.6.0p11
Hi BerT666 and welcome to our community.
The users are cached by check_mk, so even if the ldap connection is broken, they should still work for some time.
Did you checked the connection from your master to your LDAP-Connection via telnet?
Are you propably missing any certificates?
Sincerely Kruzgoth
Hi Kurzgoth,
the login with LDAP Auth works flawlessly, even if I setup a new user ( => the new user can login ).
I did not use telnet, but I checked with ldapsearch which also worked.
If the auth is working, I think the certs are ok, or am I wrong?
The “bad thing” is, I cannot find some more information, what is running wrong 
I checked the LDAP (and Firewall) logs on the LDAP side, and the Check_MK logs, but I do not see any hint.
I will check the certs tomorrow again and will report if something changed…
The only thing I am sure is, that the LDAP server is OK, since I can use my LDAP credentials on all the services which use ldaps as protocoll…
Regards
Thomas
Hi Thomas,
did you saved your certificate in here?
“Gobal Settings - Site Management - Trusted certificate authorities for SSL”
Someone had a similar problem right here, but it’s in german, so i don’t know if you understand that.
In generell, the most errors here appear, because the certificates aren’t saved in the right places.
The fact that it still works, confuses me. Do you have a second LDAP-Connection online?
And the error only appears while testing the LDAPs-Connection by hand?
Did you checked in the werks, if there is a bug known in your version for that? Similiar thing happened once for the host diagnostic.
Hi,
I saved the Certs under WATO, but it does not change anything
I tried a ldapsearch and it worked “out of the box”:
ldapsearch -D “cn=[User CN]” -W -H ldaps://[Servername FQDN] -b “ou=users,[LDAP Root]” -s sub dn
=> displays all users
The error only occurs if I configure the ldap-check to use ldaps, with ldap ( nothing else changed ) it is working.
The german post refers to the SSL Cert store, which in my net did not work…
I did not find any hint in the werks, besides this (nagios based) check was not “touched” for > years.
Regards Thomas
How does your command looks like, that is called from your monitoring core?
The command line found inside the “Service check command” you can run manually.
Only replace the check_mk_active-ldap! with ~/lib/nagios/plugins/check_ldap
I tested on one of my systems and it was working without any problem.
I copy only my ca-certificates.crt regularly from the /etc/ssl/certs/ to my sites ~/var/ssl/
… after some (more) searching the web I found a solution:
I added “TLS_REQCERT allow” to /etc/ldap.conf (at the bottom) [ Configfile on the MonitoringServer ] and now it is working 
Hope it helps if someone has a similar issue
Regards Thomas
That is clear that this works, you don’t check the server certificate with this option. 
Better said certificate checking is turned off for all LDAP queries on this machine.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.