summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatthias Eble <psychotrahe@users.sourceforge.net>2007-06-20 11:00:20 +0000
committerMatthias Eble <psychotrahe@users.sourceforge.net>2007-06-20 11:00:20 +0000
commit596002687a957a7f3512607cf3e4135903e12cee (patch)
tree7c1201b755677798364fdaea1ecf70506ca5fced
parenta82c2b4c3e9eb4fddc26f5d7840bfef0fbfbc141 (diff)
downloadmonitoring-plugins-596002687a957a7f3512607cf3e4135903e12cee.tar.gz
Clarified check_ldaps behaviour. New arguments to explicitly select secure connect behaviour (--starttls/--ssl).
git-svn-id: https://nagiosplug.svn.sourceforge.net/svnroot/nagiosplug/nagiosplug/trunk@1746 f882894a-f735-0410-b71e-b25c423dba1c
-rw-r--r--NEWS2
-rw-r--r--plugins/check_ldap.c98
2 files changed, 64 insertions, 36 deletions
diff --git a/NEWS b/NEWS
index 8c9938c5..81e1bfb5 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,8 @@ This file documents the major additions and syntax changes between releases.
2 2
31.4.10 or 1.5 ?? 31.4.10 or 1.5 ??
4 Fix check_http buffer overflow vulnerability when following HTTP redirects 4 Fix check_http buffer overflow vulnerability when following HTTP redirects
5 Check_ldaps' guessing which secure method to use (starttls vs. ssl on connect)
6 is now deprecated. See --help for further information.
5 7
61.4.9 4th June 2006 81.4.9 4th June 2006
7 Inclusion of contrib/check_cluster2 as check_cluster with some improvements 9 Inclusion of contrib/check_cluster2 as check_cluster with some improvements
diff --git a/plugins/check_ldap.c b/plugins/check_ldap.c
index 12ea0713..a2f0dee6 100644
--- a/plugins/check_ldap.c
+++ b/plugins/check_ldap.c
@@ -70,6 +70,8 @@ int ld_protocol = DEFAULT_PROTOCOL;
70double warn_time = UNDEFINED; 70double warn_time = UNDEFINED;
71double crit_time = UNDEFINED; 71double crit_time = UNDEFINED;
72struct timeval tv; 72struct timeval tv;
73int starttls = FALSE;
74int ssl_on_connect = FALSE;
73 75
74/* for ldap tls */ 76/* for ldap tls */
75 77
@@ -99,6 +101,7 @@ main (int argc, char *argv[])
99 101
100 if (strstr(argv[0],"check_ldaps")) { 102 if (strstr(argv[0],"check_ldaps")) {
101 asprintf (&progname, "check_ldaps"); 103 asprintf (&progname, "check_ldaps");
104 starttls = TRUE;
102 } 105 }
103 106
104 if (process_arguments (argc, argv) == ERROR) 107 if (process_arguments (argc, argv) == ERROR)
@@ -136,48 +139,45 @@ main (int argc, char *argv[])
136 } 139 }
137#endif 140#endif
138 141
139 if (strstr(argv[0],"check_ldaps")) { 142 if (ld_port == LDAPS_PORT || ssl_on_connect) {
140 /* with TLS */ 143 asprintf (&SERVICE, "LDAPS");
141 if ( ld_port == LDAPS_PORT ) {
142 asprintf (&SERVICE, "LDAPS");
143#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS) 144#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS)
144 /* ldaps: set option tls */ 145 /* ldaps: set option tls */
145 tls = LDAP_OPT_X_TLS_HARD; 146 tls = LDAP_OPT_X_TLS_HARD;
146 147
147 if (ldap_set_option (ld, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS) 148 if (ldap_set_option (ld, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS)
148 { 149 {
149 /*ldap_perror(ld, "ldaps_option"); */ 150 /*ldap_perror(ld, "ldaps_option"); */
150 printf (_("Could not init TLS at port %i!\n"), ld_port); 151 printf (_("Could not init TLS at port %i!\n"), ld_port);
151 return STATE_CRITICAL;
152 }
153#else
154 printf (_("TLS not supported by the libraries!\n"), ld_port);
155 return STATE_CRITICAL; 152 return STATE_CRITICAL;
153 }
154#else
155 printf (_("TLS not supported by the libraries!\n"));
156 return STATE_CRITICAL;
156#endif /* LDAP_OPT_X_TLS */ 157#endif /* LDAP_OPT_X_TLS */
157 } else { 158 } else if (starttls) {
158 asprintf (&SERVICE, "LDAP-TLS"); 159 asprintf (&SERVICE, "LDAP-TLS");
159#if defined(HAVE_LDAP_SET_OPTION) && defined(HAVE_LDAP_START_TLS_S) 160#if defined(HAVE_LDAP_SET_OPTION) && defined(HAVE_LDAP_START_TLS_S)
160 /* ldap with startTLS: set option version */ 161 /* ldap with startTLS: set option version */
161 if (ldap_get_option(ld,LDAP_OPT_PROTOCOL_VERSION, &version) == LDAP_OPT_SUCCESS ) 162 if (ldap_get_option(ld,LDAP_OPT_PROTOCOL_VERSION, &version) == LDAP_OPT_SUCCESS )
163 {
164 if (version < LDAP_VERSION3)
162 { 165 {
163 if (version < LDAP_VERSION3) 166 version = LDAP_VERSION3;
164 { 167 ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
165 version = LDAP_VERSION3;
166 ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
167 }
168 } 168 }
169 /* call start_tls */ 169 }
170 if (ldap_start_tls_s(ld, NULL, NULL) != LDAP_SUCCESS) 170 /* call start_tls */
171 { 171 if (ldap_start_tls_s(ld, NULL, NULL) != LDAP_SUCCESS)
172 /*ldap_perror(ld, "ldap_start_tls"); */ 172 {
173 printf (_("Could not init startTLS at port %i!\n"), ld_port); 173 /*ldap_perror(ld, "ldap_start_tls"); */
174 return STATE_CRITICAL; 174 printf (_("Could not init startTLS at port %i!\n"), ld_port);
175 }
176#else
177 printf (_("startTLS not supported by the library, needs LDAPv3!\n"));
178 return STATE_CRITICAL; 175 return STATE_CRITICAL;
179#endif /* HAVE_LDAP_START_TLS_S */
180 } 176 }
177#else
178 printf (_("startTLS not supported by the library, needs LDAPv3!\n"));
179 return STATE_CRITICAL;
180#endif /* HAVE_LDAP_START_TLS_S */
181 } 181 }
182 182
183 /* bind to the ldap server */ 183 /* bind to the ldap server */
@@ -247,6 +247,8 @@ process_arguments (int argc, char **argv)
247 {"ver2", no_argument, 0, '2'}, 247 {"ver2", no_argument, 0, '2'},
248 {"ver3", no_argument, 0, '3'}, 248 {"ver3", no_argument, 0, '3'},
249#endif 249#endif
250 {"starttls", no_argument, 0, 'T'},
251 {"ssl", no_argument, 0, 'S'},
250 {"use-ipv4", no_argument, 0, '4'}, 252 {"use-ipv4", no_argument, 0, '4'},
251 {"use-ipv6", no_argument, 0, '6'}, 253 {"use-ipv6", no_argument, 0, '6'},
252 {"port", required_argument, 0, 'p'}, 254 {"port", required_argument, 0, 'p'},
@@ -264,7 +266,7 @@ process_arguments (int argc, char **argv)
264 } 266 }
265 267
266 while (1) { 268 while (1) {
267 c = getopt_long (argc, argv, "hV2346t:c:w:H:b:p:a:D:P:", longopts, &option); 269 c = getopt_long (argc, argv, "hV234TS6t:c:w:H:b:p:a:D:P:", longopts, &option);
268 270
269 if (c == -1 || c == EOF) 271 if (c == -1 || c == EOF)
270 break; 272 break;
@@ -317,6 +319,19 @@ process_arguments (int argc, char **argv)
317 case '4': 319 case '4':
318 address_family = AF_INET; 320 address_family = AF_INET;
319 break; 321 break;
322 case 'T':
323 if (! ssl_on_connect)
324 starttls = TRUE;
325 else
326 usage_va(_("%s cannot be combined with %s"), "-T/--starttls", "-S/--ssl");
327 break;
328 case 'S':
329 if (! starttls) {
330 ssl_on_connect = TRUE;
331 ld_port = LDAPS_PORT;
332 } else
333 usage_va(_("%s cannot be combined with %s"), "-S/--ssl", "-T/--starttls");
334 break;
320 case '6': 335 case '6':
321#ifdef USE_IPV6 336#ifdef USE_IPV6
322 address_family = AF_INET6; 337 address_family = AF_INET6;
@@ -382,13 +397,17 @@ print_help (void)
382 printf (" %s\n", _("ldap bind DN (if required)")); 397 printf (" %s\n", _("ldap bind DN (if required)"));
383 printf (" %s\n", "-P [--pass]"); 398 printf (" %s\n", "-P [--pass]");
384 printf (" %s\n", _("ldap password (if required)")); 399 printf (" %s\n", _("ldap password (if required)"));
400 printf (" %s\n", "-T [--starttls]");
401 printf (" %s\n", _("use starttls mechanism introduced in protocol version 3"));
402 printf (" %s\n", "-S [--ssl]");
403 printf (" %s\n", _("use ldaps (ldap v2 ssl method). this also sets the default port to %s"), LDAPS_PORT);
385 404
386#ifdef HAVE_LDAP_SET_OPTION 405#ifdef HAVE_LDAP_SET_OPTION
387 printf (" %s\n", "-2 [--ver2]"); 406 printf (" %s\n", "-2 [--ver2]");
388 printf (" %s\n", _("use ldap protocol version 2")); 407 printf (" %s\n", _("use ldap protocol version 2"));
389 printf (" %s\n", "-3 [--ver3]"); 408 printf (" %s\n", "-3 [--ver3]");
390 printf (" %s\n", _("use ldap protocol version 3")); 409 printf (" %s\n", _("use ldap protocol version 3"));
391 printf ("(default protocol version: %d)", DEFAULT_PROTOCOL); 410 printf (" (default protocol version: %d)\n", DEFAULT_PROTOCOL);
392#endif 411#endif
393 412
394 printf (_(UT_WARN_CRIT)); 413 printf (_(UT_WARN_CRIT));
@@ -397,6 +416,13 @@ print_help (void)
397 416
398 printf (_(UT_VERBOSE)); 417 printf (_(UT_VERBOSE));
399 418
419 printf ("\n%s\n", _("Note:"));
420 printf ("%s\n", _("If this plugin is called via 'check_ldaps', method 'STARTTLS' will be"));
421 printf (_("implied (using default port %i) unless --port=636 is specified. In that case %s"), DEFAULT_PORT, "\n");
422 printf ("%s\n", _("'SSL on connect' will be used no matter how the plugin was called."));
423 printf ("%s\n", _("This detection is deprecated, please use 'check_ldap' with the '--starttls' or '--ssl' flags"));
424 printf ("%s\n", _("to define the behaviour explicitly instead."));
425
400 printf (_(UT_SUPPORT)); 426 printf (_(UT_SUPPORT));
401} 427}
402 428