Bug 752949 - ldap_bind: Can't contact LDAP server via SSL
Summary: ldap_bind: Can't contact LDAP server via SSL
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: nagios-plugins
Version: el6
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Ohad Levy
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-11-10 20:21 UTC by Eugene
Modified: 2017-01-03 17:51 UTC (History)
6 users (show)

Fixed In Version: nagios-plugins-2.1.4-2.fc25 nagios-plugins-2.1.4-2.fc24 nagios-plugins-2.1.4-2.el6 nagios-plugins-2.1.4-2.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-12-27 21:21:46 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Eugene 2011-11-10 20:21:39 UTC
Description of problem:


Version-Release number of selected component (if applicable): 1.4.15-2


How reproducible:

Steps to Reproduce:
1. Take Oracle Enterprise Linux 6.1
2. Install 389 Directory with SSL or take a working one.
3. Install epel repository and latest nagios-plugins-ldap
4. Run /usr/lib64/nagios/plugins/check_ldaps -H <389 hostname> -S -p <389 port> -b <389's base DN> -v
  
Actual results:

ldap_bind: Can't contact LDAP server (-1)
	additional info: TLS error -8172:Unknown code ___f 20
Could not bind to the LDAP server

Expected results:

LDAP OK - 0,008 seconds response time|time=0,007882s;;;0,000000

Additional info:

All works fine with non SSL check_ldap.
Same version of nagios-plugins works fine under RedHat (OEL) 5.7
Version rpmbuilded from sources have a same problems.

Comment 1 Jose Pedro Oliveira 2012-07-09 14:50:22 UTC
Eugene,

Would you mind testing nagios-plugins 1.4.16 (that has just been pushed for rawhide) and see if the problem still persists?


From the nagios-plugins 1.4.16 release notes
(http://nagiosplugins.org/nagiosplugins-1.4.16):
---------
...
Fixes:
...
 * Fix check_ldap overriding the port when --ssl was specified after -p
...
--------

tia,
jpo

Comment 2 Eugene 2012-07-12 05:20:16 UTC
With 1.4.16 I've got more descriptive message:

ldap_bind: Can't contact LDAP server (-1)
	additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
Could not bind to the LDAP server

Really, Thawte introduce intermediate certificates, so now we have certificates chain for this server. But any certificate in chain must be trusted.

openssl shows:

depth=3 C = ZA, ST = Western Cape, L = Cape Town, O = Thawte Consulting cc, OU = Certification Services Division, CN = Thawte Premium Server CA, emailAddress = premium-server
verify return:1
depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA
verify return:1
depth=1 C = US, O = "Thawte, Inc.", CN = Thawte SSL CA
verify return:1
depth=0 ...our company certificate...
verify return:1
---
Certificate chain
 0 s:<...our company certificate...>
   i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
 1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server
 3 s:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=...our company certificate...
issuer=/C=US/O=Thawte, Inc./CN=Thawte SSL CA
---
Acceptable client certificate CA names
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server
/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
/C=US/O=Thawte, Inc./CN=Thawte SSL CA
---
SSL handshake has read 4686 bytes and written 451 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 0956B35F076A8B2973EBA918F4D84537ADC446BDF6C3E75A381EE1B11B9B1C8E
    Session-ID-ctx: 
    Master-Key: BC465280405936A93F1E1983BFAE851118D2B95650A96882E280862E2DA05E125456F178B11973B2B31601056328B5C2
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1342070086
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Comment 4 Fedora Update System 2016-12-16 23:26:21 UTC
nagios-plugins-2.1.4-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-8ada3d2a1f

Comment 5 Fedora Update System 2016-12-16 23:26:55 UTC
nagios-plugins-2.1.4-2.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-dc9e470823

Comment 6 Fedora Update System 2016-12-16 23:27:15 UTC
nagios-plugins-2.1.4-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-f30fae0f67

Comment 7 Fedora Update System 2016-12-16 23:27:33 UTC
nagios-plugins-2.1.4-2.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-8586235698

Comment 8 Fedora Update System 2016-12-16 23:27:51 UTC
nagios-plugins-2.1.4-2.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-17165c490b

Comment 9 Fedora Update System 2016-12-19 01:51:23 UTC
nagios-plugins-2.1.4-2.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-17165c490b

Comment 10 Fedora Update System 2016-12-19 02:28:09 UTC
nagios-plugins-2.1.4-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-8ada3d2a1f

Comment 11 Fedora Update System 2016-12-19 02:30:41 UTC
nagios-plugins-2.1.4-2.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-f30fae0f67

Comment 12 Fedora Update System 2016-12-19 19:18:06 UTC
nagios-plugins-2.1.4-2.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-dc9e470823

Comment 13 Fedora Update System 2016-12-20 00:57:39 UTC
nagios-plugins-2.1.4-2.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-8586235698

Comment 14 Fedora Update System 2016-12-27 21:21:46 UTC
nagios-plugins-2.1.4-2.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2016-12-27 22:47:56 UTC
nagios-plugins-2.1.4-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2017-01-03 17:49:10 UTC
nagios-plugins-2.1.4-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2017-01-03 17:51:38 UTC
nagios-plugins-2.1.4-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.