[Pkg-nagios-devel] Bug#463355: check_ldap with starttls requires hostname to match cert name
Greg Cox
ratness at hotmail.com
Thu Jan 31 03:35:22 UTC 2008
Package: nagios-plugins-standard
Version: 1.4.10-1
Severity: wishlist
This is probably something to kick upstream.
Serverside: slapd 2.4.7-3 with TLS (not ldaps) enabled. It's running on a VM with a hostname of 'utilserver.domain.org', and its SSL cert has a CN of 'utilserver', since usually only internal users interact with it.
$ /usr/lib/nagios/plugins/check_ldap -T -H utilserver -b `grep BASE /etc/ldap/ldap.conf| awk '{print $2}'`
LDAP OK - 0.041 seconds response time|time=0.040605s;;;0.000000
$ host utilserver
utilserver.domain.org has address 192.168.20.20
$ /usr/lib/nagios/plugins/check_ldap -T -H 192.168.20.20 -b `grep BASE /etc/ldap/ldap.conf| awk '{print $2}'`
Could not init startTLS at port 389!
$ /usr/lib/nagios/plugins/check_ldap -T -H utilserver.domain.org -b `grep BASE /etc/ldap/ldap.conf| awk '{print $2}'`
Could not init startTLS at port 389!
It appears (though I haven't confirmed since my C-fu is weak) that the -T flag co-opts the hostname as specified in the -H and uses that in its TLS handshake. But that overload is not always good: my nagios checks, which use the FQDN, fail.
Suggestion:
-T is currently a boolean flag. How about -T [optional hostname for certificate handshake if -H isn't good enough]? I can't think of anything else you might want after -T, myself.
Thanks!
_________________________________________________________________
Connect and share in new ways with Windows Live.
http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_012008
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20080131/c37e61e0/attachment.htm
More information about the Pkg-nagios-devel
mailing list