diff options
author | Matthias Eble <psychotrahe@users.sourceforge.net> | 2007-06-20 11:00:20 +0000 |
---|---|---|
committer | Matthias Eble <psychotrahe@users.sourceforge.net> | 2007-06-20 11:00:20 +0000 |
commit | 596002687a957a7f3512607cf3e4135903e12cee (patch) | |
tree | 7c1201b755677798364fdaea1ecf70506ca5fced | |
parent | a82c2b4c3e9eb4fddc26f5d7840bfef0fbfbc141 (diff) | |
download | monitoring-plugins-596002687a957a7f3512607cf3e4135903e12cee.tar.gz |
Clarified check_ldaps behaviour. New arguments to explicitly select secure connect behaviour (--starttls/--ssl).
git-svn-id: https://nagiosplug.svn.sourceforge.net/svnroot/nagiosplug/nagiosplug/trunk@1746 f882894a-f735-0410-b71e-b25c423dba1c
-rw-r--r-- | NEWS | 2 | ||||
-rw-r--r-- | plugins/check_ldap.c | 98 |
2 files changed, 64 insertions, 36 deletions
@@ -2,6 +2,8 @@ This file documents the major additions and syntax changes between releases. | |||
2 | 2 | ||
3 | 1.4.10 or 1.5 ?? | 3 | 1.4.10 or 1.5 ?? |
4 | Fix check_http buffer overflow vulnerability when following HTTP redirects | 4 | Fix check_http buffer overflow vulnerability when following HTTP redirects |
5 | Check_ldaps' guessing which secure method to use (starttls vs. ssl on connect) | ||
6 | is now deprecated. See --help for further information. | ||
5 | 7 | ||
6 | 1.4.9 4th June 2006 | 8 | 1.4.9 4th June 2006 |
7 | Inclusion of contrib/check_cluster2 as check_cluster with some improvements | 9 | Inclusion of contrib/check_cluster2 as check_cluster with some improvements |
diff --git a/plugins/check_ldap.c b/plugins/check_ldap.c index 12ea0713..a2f0dee6 100644 --- a/plugins/check_ldap.c +++ b/plugins/check_ldap.c | |||
@@ -70,6 +70,8 @@ int ld_protocol = DEFAULT_PROTOCOL; | |||
70 | double warn_time = UNDEFINED; | 70 | double warn_time = UNDEFINED; |
71 | double crit_time = UNDEFINED; | 71 | double crit_time = UNDEFINED; |
72 | struct timeval tv; | 72 | struct timeval tv; |
73 | int starttls = FALSE; | ||
74 | int ssl_on_connect = FALSE; | ||
73 | 75 | ||
74 | /* for ldap tls */ | 76 | /* for ldap tls */ |
75 | 77 | ||
@@ -99,6 +101,7 @@ main (int argc, char *argv[]) | |||
99 | 101 | ||
100 | if (strstr(argv[0],"check_ldaps")) { | 102 | if (strstr(argv[0],"check_ldaps")) { |
101 | asprintf (&progname, "check_ldaps"); | 103 | asprintf (&progname, "check_ldaps"); |
104 | starttls = TRUE; | ||
102 | } | 105 | } |
103 | 106 | ||
104 | if (process_arguments (argc, argv) == ERROR) | 107 | if (process_arguments (argc, argv) == ERROR) |
@@ -136,48 +139,45 @@ main (int argc, char *argv[]) | |||
136 | } | 139 | } |
137 | #endif | 140 | #endif |
138 | 141 | ||
139 | if (strstr(argv[0],"check_ldaps")) { | 142 | if (ld_port == LDAPS_PORT || ssl_on_connect) { |
140 | /* with TLS */ | 143 | asprintf (&SERVICE, "LDAPS"); |
141 | if ( ld_port == LDAPS_PORT ) { | ||
142 | asprintf (&SERVICE, "LDAPS"); | ||
143 | #if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS) | 144 | #if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS) |
144 | /* ldaps: set option tls */ | 145 | /* ldaps: set option tls */ |
145 | tls = LDAP_OPT_X_TLS_HARD; | 146 | tls = LDAP_OPT_X_TLS_HARD; |
146 | 147 | ||
147 | if (ldap_set_option (ld, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS) | 148 | if (ldap_set_option (ld, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS) |
148 | { | 149 | { |
149 | /*ldap_perror(ld, "ldaps_option"); */ | 150 | /*ldap_perror(ld, "ldaps_option"); */ |
150 | printf (_("Could not init TLS at port %i!\n"), ld_port); | 151 | printf (_("Could not init TLS at port %i!\n"), ld_port); |
151 | return STATE_CRITICAL; | ||
152 | } | ||
153 | #else | ||
154 | printf (_("TLS not supported by the libraries!\n"), ld_port); | ||
155 | return STATE_CRITICAL; | 152 | return STATE_CRITICAL; |
153 | } | ||
154 | #else | ||
155 | printf (_("TLS not supported by the libraries!\n")); | ||
156 | return STATE_CRITICAL; | ||
156 | #endif /* LDAP_OPT_X_TLS */ | 157 | #endif /* LDAP_OPT_X_TLS */ |
157 | } else { | 158 | } else if (starttls) { |
158 | asprintf (&SERVICE, "LDAP-TLS"); | 159 | asprintf (&SERVICE, "LDAP-TLS"); |
159 | #if defined(HAVE_LDAP_SET_OPTION) && defined(HAVE_LDAP_START_TLS_S) | 160 | #if defined(HAVE_LDAP_SET_OPTION) && defined(HAVE_LDAP_START_TLS_S) |
160 | /* ldap with startTLS: set option version */ | 161 | /* ldap with startTLS: set option version */ |
161 | if (ldap_get_option(ld,LDAP_OPT_PROTOCOL_VERSION, &version) == LDAP_OPT_SUCCESS ) | 162 | if (ldap_get_option(ld,LDAP_OPT_PROTOCOL_VERSION, &version) == LDAP_OPT_SUCCESS ) |
163 | { | ||
164 | if (version < LDAP_VERSION3) | ||
162 | { | 165 | { |
163 | if (version < LDAP_VERSION3) | 166 | version = LDAP_VERSION3; |
164 | { | 167 | ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version); |
165 | version = LDAP_VERSION3; | ||
166 | ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version); | ||
167 | } | ||
168 | } | 168 | } |
169 | /* call start_tls */ | 169 | } |
170 | if (ldap_start_tls_s(ld, NULL, NULL) != LDAP_SUCCESS) | 170 | /* call start_tls */ |
171 | { | 171 | if (ldap_start_tls_s(ld, NULL, NULL) != LDAP_SUCCESS) |
172 | /*ldap_perror(ld, "ldap_start_tls"); */ | 172 | { |
173 | printf (_("Could not init startTLS at port %i!\n"), ld_port); | 173 | /*ldap_perror(ld, "ldap_start_tls"); */ |
174 | return STATE_CRITICAL; | 174 | printf (_("Could not init startTLS at port %i!\n"), ld_port); |
175 | } | ||
176 | #else | ||
177 | printf (_("startTLS not supported by the library, needs LDAPv3!\n")); | ||
178 | return STATE_CRITICAL; | 175 | return STATE_CRITICAL; |
179 | #endif /* HAVE_LDAP_START_TLS_S */ | ||
180 | } | 176 | } |
177 | #else | ||
178 | printf (_("startTLS not supported by the library, needs LDAPv3!\n")); | ||
179 | return STATE_CRITICAL; | ||
180 | #endif /* HAVE_LDAP_START_TLS_S */ | ||
181 | } | 181 | } |
182 | 182 | ||
183 | /* bind to the ldap server */ | 183 | /* bind to the ldap server */ |
@@ -247,6 +247,8 @@ process_arguments (int argc, char **argv) | |||
247 | {"ver2", no_argument, 0, '2'}, | 247 | {"ver2", no_argument, 0, '2'}, |
248 | {"ver3", no_argument, 0, '3'}, | 248 | {"ver3", no_argument, 0, '3'}, |
249 | #endif | 249 | #endif |
250 | {"starttls", no_argument, 0, 'T'}, | ||
251 | {"ssl", no_argument, 0, 'S'}, | ||
250 | {"use-ipv4", no_argument, 0, '4'}, | 252 | {"use-ipv4", no_argument, 0, '4'}, |
251 | {"use-ipv6", no_argument, 0, '6'}, | 253 | {"use-ipv6", no_argument, 0, '6'}, |
252 | {"port", required_argument, 0, 'p'}, | 254 | {"port", required_argument, 0, 'p'}, |
@@ -264,7 +266,7 @@ process_arguments (int argc, char **argv) | |||
264 | } | 266 | } |
265 | 267 | ||
266 | while (1) { | 268 | while (1) { |
267 | c = getopt_long (argc, argv, "hV2346t:c:w:H:b:p:a:D:P:", longopts, &option); | 269 | c = getopt_long (argc, argv, "hV234TS6t:c:w:H:b:p:a:D:P:", longopts, &option); |
268 | 270 | ||
269 | if (c == -1 || c == EOF) | 271 | if (c == -1 || c == EOF) |
270 | break; | 272 | break; |
@@ -317,6 +319,19 @@ process_arguments (int argc, char **argv) | |||
317 | case '4': | 319 | case '4': |
318 | address_family = AF_INET; | 320 | address_family = AF_INET; |
319 | break; | 321 | break; |
322 | case 'T': | ||
323 | if (! ssl_on_connect) | ||
324 | starttls = TRUE; | ||
325 | else | ||
326 | usage_va(_("%s cannot be combined with %s"), "-T/--starttls", "-S/--ssl"); | ||
327 | break; | ||
328 | case 'S': | ||
329 | if (! starttls) { | ||
330 | ssl_on_connect = TRUE; | ||
331 | ld_port = LDAPS_PORT; | ||
332 | } else | ||
333 | usage_va(_("%s cannot be combined with %s"), "-S/--ssl", "-T/--starttls"); | ||
334 | break; | ||
320 | case '6': | 335 | case '6': |
321 | #ifdef USE_IPV6 | 336 | #ifdef USE_IPV6 |
322 | address_family = AF_INET6; | 337 | address_family = AF_INET6; |
@@ -382,13 +397,17 @@ print_help (void) | |||
382 | printf (" %s\n", _("ldap bind DN (if required)")); | 397 | printf (" %s\n", _("ldap bind DN (if required)")); |
383 | printf (" %s\n", "-P [--pass]"); | 398 | printf (" %s\n", "-P [--pass]"); |
384 | printf (" %s\n", _("ldap password (if required)")); | 399 | printf (" %s\n", _("ldap password (if required)")); |
400 | printf (" %s\n", "-T [--starttls]"); | ||
401 | printf (" %s\n", _("use starttls mechanism introduced in protocol version 3")); | ||
402 | printf (" %s\n", "-S [--ssl]"); | ||
403 | printf (" %s\n", _("use ldaps (ldap v2 ssl method). this also sets the default port to %s"), LDAPS_PORT); | ||
385 | 404 | ||
386 | #ifdef HAVE_LDAP_SET_OPTION | 405 | #ifdef HAVE_LDAP_SET_OPTION |
387 | printf (" %s\n", "-2 [--ver2]"); | 406 | printf (" %s\n", "-2 [--ver2]"); |
388 | printf (" %s\n", _("use ldap protocol version 2")); | 407 | printf (" %s\n", _("use ldap protocol version 2")); |
389 | printf (" %s\n", "-3 [--ver3]"); | 408 | printf (" %s\n", "-3 [--ver3]"); |
390 | printf (" %s\n", _("use ldap protocol version 3")); | 409 | printf (" %s\n", _("use ldap protocol version 3")); |
391 | printf ("(default protocol version: %d)", DEFAULT_PROTOCOL); | 410 | printf (" (default protocol version: %d)\n", DEFAULT_PROTOCOL); |
392 | #endif | 411 | #endif |
393 | 412 | ||
394 | printf (_(UT_WARN_CRIT)); | 413 | printf (_(UT_WARN_CRIT)); |
@@ -397,6 +416,13 @@ print_help (void) | |||
397 | 416 | ||
398 | printf (_(UT_VERBOSE)); | 417 | printf (_(UT_VERBOSE)); |
399 | 418 | ||
419 | printf ("\n%s\n", _("Note:")); | ||
420 | printf ("%s\n", _("If this plugin is called via 'check_ldaps', method 'STARTTLS' will be")); | ||
421 | printf (_("implied (using default port %i) unless --port=636 is specified. In that case %s"), DEFAULT_PORT, "\n"); | ||
422 | printf ("%s\n", _("'SSL on connect' will be used no matter how the plugin was called.")); | ||
423 | printf ("%s\n", _("This detection is deprecated, please use 'check_ldap' with the '--starttls' or '--ssl' flags")); | ||
424 | printf ("%s\n", _("to define the behaviour explicitly instead.")); | ||
425 | |||
400 | printf (_(UT_SUPPORT)); | 426 | printf (_(UT_SUPPORT)); |
401 | } | 427 | } |
402 | 428 | ||