Notes on usage of Check_MK Multisite with LDAPS

I had to configure OMD/Check_MK version 1.2.4p3 to use LDAPS to connect to Windows domain controller. The operating system on the host running OMD/Check_MK is CentOS 6.5 x64.

You should read and understand this article from the official Check_MK site, especially the section named “Using LDAP over SSL”. If your CA is not issued by an official well-known authority you might get the error like this while trying to run ldapsearch against your domain controller as described in the article above:

ldapsearch -d3 -H ldaps://Domain_Controller.Company.com
...
TLS: certificate [CN=company_CA,DC=company,DC=com] is not valid - error -8179:Peer's Certificate issuer is not recognized..tls_write: want=7, written=7
 0000: 15 03 01 00 02 02 30 ......0
TLS: error: connect - force handshake failure: errno 21 - moznss error -8179
TLS: can't connect: TLS error -8179:Peer's Certificate issuer is not recognized..
...

To get rid of the problem I needed to pull down the CA and CA root certificates of my domain controller and add them to the file /etc/ssl/certs/ca-bundle.crt. And then I had to add the following line to the file /etc/openldap/ldap.conf

TLS_CACERT      /etc/ssl/certs/ca-bundle.crt

Then I had to re-start the Apache web server in the OMD site and the SSL connection to the domain controller has worked.

You can use the command below to verify, if your system accepts the SSL/TLS certificate used by the domain controller as a certificate issued by a trusted CA:

ldapsearch -d1 -H ldaps://Domain_Controller.Company.com/

If the certificate is OK, you’ll get the message among other debug lines:

...
TLS: certificate [CN=Domain_Controller.Company.com] is valid
...

You do need to modify every slave system the same way, if you use distributed monitoring.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.