LDAP check is escaping wrong characters

Fabse91 · May 24, 2024, 10:56am

Hello,

we have a problem with the active LDAP check to monitor our LDAP Servers

CMK version: 2.2.0p21 CEE
OS version: Appliance

Error message:
It seems like the active LDAP check is escaping special characters in the password field.
I’ve tried it with an entry in the password store and later with the explicit password.
f.e. the password is Pass!Word
When im doing the check on commandline everything is working fine

 ./check_ldap -H '$HOSTADDRESS$' -b CN=User,OU=LDAP,OU=FirstOu,DC=DC1,DC=ROOT -a '(objectclass=*)' -D  CN=LDAP-User,OU=LDAP,OU=FirstOu,DC=DC1,DC=ROOT -P 'Pass!Word' -p 636 -2 --ssl
 LDAP OK - 0.019 seconds response time|time=0.019391s;;;0.000000

But in checkmk i still got the error “Could not bin to the LDAP Server”. So i’ve check the service check command:

./check_ldap -H '$HOSTADDRESS$' -b CN=User,OU=LDAP,OU=FirstOu,DC=DC1,DC=ROOT -a '(objectclass=*)' -D  CN=LDAP-User,OU=LDAP,OU=FirstOu,DC=DC1,DC=ROOT -P 'Pass\!Word' -p 636 -2 --ssl
Could not bind to the LDAP server

I’ve already tried to copy the escaped password Pass!Word to the password field which result to Pass\!Word

Is there a way to prevent escaping the password?

Regards

Virus2500 · May 24, 2024, 1:01pm

Hi,

i’ve tried it with 2.3.0p2 and i can also see the escaping happening in the GUI:

Password is set to 1234!5678 an in the GUI it shows

However it does work for me.

It doesn’t work with the escaped ! via CLI, but in the GUI it does work, so i assume at least in 2.3.0p2 it does remove the escape during the check.

OMD[main]:~$ ./lib/nagios/plugins/check_ldap -H '192.168.0.11' -b ou=people,dc=home,dc=lan -D uid=authtest,ou=people,dc=home,dc=lan -P '1234\!5678' -3
Could not bind to the LDAP server
OMD[main]:~$ ./lib/nagios/plugins/check_ldap -H '192.168.0.11' -b ou=people,dc=home,dc=lan -D uid=authtest,ou=people,dc=home,dc=lan -P '1234!5678' -3
LDAP OK - 0.002 seconds response time|time=0.001936s;;;0.000000

So maybe an update will fix it for you as well.

robin.gierse · May 31, 2024, 8:11pm

@Fabse91 can you confirm, that Checkmk 2.3 behaves different, as @Virus2500 suggests?
If so, that would be your solution. If not, I would recommend giving the monitoring user a password without this kind of special character. As the user should be dedicated for monitoring and have no high permissions in your LDAP, this should be a rather accessible workaround.

Dirk · June 3, 2024, 8:25am

Just as a side note: The exclamation mark ! can be a real PITA in bash because it is used for history expansion. On the commandline you can type something like

$ !-2   # run the last but one command from the history
$ !!    # repeat the last command
$ !ls   # repeat the last command that started with 'ls'

The problem is that the ! must be escaped (at least sometimes ) if it occurs in strings and the syntax itself is hard to remember. And it can lead to surprising results:

$ echo "what !!"
echo "what echo "what !""
what echo what !

Good news is that this behaviour can be turned off completely with set +H.

Maybe try to put that in the site user’s .profile?

Fabse91 · June 5, 2024, 8:24am

Hi, i will check if i’s possible with 2.3 - but i can not test the upgrade in the next weeks.
Changing the LDAP Password is not possible from my site, but i’ve asked the responsibles (hopefully they will not come with password complexity policy)