![[tokkee]](http://tokkee.org/images/avatar.png){kind=avatar}
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a82c2b4)
raw | patch | inline | side by side (parent: a82c2b4)
| author | Matthias Eble <psychotrahe@users.sourceforge.net> | |
| Wed, 20 Jun 2007 11:00:20 +0000 (11:00 +0000) | ||
| committer | Matthias Eble <psychotrahe@users.sourceforge.net> | |
| Wed, 20 Jun 2007 11:00:20 +0000 (11:00 +0000) |
git-svn-id: https://nagiosplug.svn.sourceforge.net/svnroot/nagiosplug/nagiosplug/trunk@1746 f882894a-f735-0410-b71e-b25c423dba1c
| NEWS | patch | blob | history | |
| plugins/check_ldap.c | patch | blob | history |
index 8c9938c5fb9c2a597dc0c7cd28cb8776eddcda38..81e1bfb50441e8b00d8bb62146f27fac3e2010bb 100644 (file)
--- a/NEWS
+++ b/NEWS
1.4.10 or 1.5 ??
Fix check_http buffer overflow vulnerability when following HTTP redirects
+ Check_ldaps' guessing which secure method to use (starttls vs. ssl on connect)
+ is now deprecated. See --help for further information.
1.4.9 4th June 2006
Inclusion of contrib/check_cluster2 as check_cluster with some improvements
diff --git a/plugins/check_ldap.c b/plugins/check_ldap.c
index 12ea07135defce944055d7f55cc7365a0d0767fa..a2f0dee6551a28c6a276e3af5f40303805089c83 100644 (file)
--- a/plugins/check_ldap.c
+++ b/plugins/check_ldap.c
double warn_time = UNDEFINED;
double crit_time = UNDEFINED;
struct timeval tv;
+int starttls = FALSE;
+int ssl_on_connect = FALSE;
/* for ldap tls */
if (strstr(argv[0],"check_ldaps")) {
asprintf (&progname, "check_ldaps");
+ starttls = TRUE;
}
if (process_arguments (argc, argv) == ERROR)
}
#endif
- if (strstr(argv[0],"check_ldaps")) {
- /* with TLS */
- if ( ld_port == LDAPS_PORT ) {
- asprintf (&SERVICE, "LDAPS");
+ if (ld_port == LDAPS_PORT || ssl_on_connect) {
+ asprintf (&SERVICE, "LDAPS");
#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS)
- /* ldaps: set option tls */
- tls = LDAP_OPT_X_TLS_HARD;
-
- if (ldap_set_option (ld, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS)
- {
- /*ldap_perror(ld, "ldaps_option"); */
- printf (_("Could not init TLS at port %i!\n"), ld_port);
- return STATE_CRITICAL;
- }
-#else
- printf (_("TLS not supported by the libraries!\n"), ld_port);
+ /* ldaps: set option tls */
+ tls = LDAP_OPT_X_TLS_HARD;
+
+ if (ldap_set_option (ld, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS)
+ {
+ /*ldap_perror(ld, "ldaps_option"); */
+ printf (_("Could not init TLS at port %i!\n"), ld_port);
return STATE_CRITICAL;
+ }
+#else
+ printf (_("TLS not supported by the libraries!\n"));
+ return STATE_CRITICAL;
#endif /* LDAP_OPT_X_TLS */
- } else {
- asprintf (&SERVICE, "LDAP-TLS");
+ } else if (starttls) {
+ asprintf (&SERVICE, "LDAP-TLS");
#if defined(HAVE_LDAP_SET_OPTION) && defined(HAVE_LDAP_START_TLS_S)
- /* ldap with startTLS: set option version */
- if (ldap_get_option(ld,LDAP_OPT_PROTOCOL_VERSION, &version) == LDAP_OPT_SUCCESS )
+ /* ldap with startTLS: set option version */
+ if (ldap_get_option(ld,LDAP_OPT_PROTOCOL_VERSION, &version) == LDAP_OPT_SUCCESS )
+ {
+ if (version < LDAP_VERSION3)
{
- if (version < LDAP_VERSION3)
- {
- version = LDAP_VERSION3;
- ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
- }
+ version = LDAP_VERSION3;
+ ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
}
- /* call start_tls */
- if (ldap_start_tls_s(ld, NULL, NULL) != LDAP_SUCCESS)
- {
- /*ldap_perror(ld, "ldap_start_tls"); */
- printf (_("Could not init startTLS at port %i!\n"), ld_port);
- return STATE_CRITICAL;
- }
-#else
- printf (_("startTLS not supported by the library, needs LDAPv3!\n"));
+ }
+ /* call start_tls */
+ if (ldap_start_tls_s(ld, NULL, NULL) != LDAP_SUCCESS)
+ {
+ /*ldap_perror(ld, "ldap_start_tls"); */
+ printf (_("Could not init startTLS at port %i!\n"), ld_port);
return STATE_CRITICAL;
-#endif /* HAVE_LDAP_START_TLS_S */
}
+#else
+ printf (_("startTLS not supported by the library, needs LDAPv3!\n"));
+ return STATE_CRITICAL;
+#endif /* HAVE_LDAP_START_TLS_S */
}
/* bind to the ldap server */
{"ver2", no_argument, 0, '2'},
{"ver3", no_argument, 0, '3'},
#endif
+ {"starttls", no_argument, 0, 'T'},
+ {"ssl", no_argument, 0, 'S'},
{"use-ipv4", no_argument, 0, '4'},
{"use-ipv6", no_argument, 0, '6'},
{"port", required_argument, 0, 'p'},
}
while (1) {
- c = getopt_long (argc, argv, "hV2346t:c:w:H:b:p:a:D:P:", longopts, &option);
+ c = getopt_long (argc, argv, "hV234TS6t:c:w:H:b:p:a:D:P:", longopts, &option);
if (c == -1 || c == EOF)
break;
case '4':
address_family = AF_INET;
break;
+ case 'T':
+ if (! ssl_on_connect)
+ starttls = TRUE;
+ else
+ usage_va(_("%s cannot be combined with %s"), "-T/--starttls", "-S/--ssl");
+ break;
+ case 'S':
+ if (! starttls) {
+ ssl_on_connect = TRUE;
+ ld_port = LDAPS_PORT;
+ } else
+ usage_va(_("%s cannot be combined with %s"), "-S/--ssl", "-T/--starttls");
+ break;
case '6':
#ifdef USE_IPV6
address_family = AF_INET6;
printf (" %s\n", _("ldap bind DN (if required)"));
printf (" %s\n", "-P [--pass]");
printf (" %s\n", _("ldap password (if required)"));
+ printf (" %s\n", "-T [--starttls]");
+ printf (" %s\n", _("use starttls mechanism introduced in protocol version 3"));
+ printf (" %s\n", "-S [--ssl]");
+ printf (" %s\n", _("use ldaps (ldap v2 ssl method). this also sets the default port to %s"), LDAPS_PORT);
#ifdef HAVE_LDAP_SET_OPTION
printf (" %s\n", "-2 [--ver2]");
printf (" %s\n", _("use ldap protocol version 2"));
printf (" %s\n", "-3 [--ver3]");
printf (" %s\n", _("use ldap protocol version 3"));
- printf ("(default protocol version: %d)", DEFAULT_PROTOCOL);
+ printf (" (default protocol version: %d)\n", DEFAULT_PROTOCOL);
#endif
printf (_(UT_WARN_CRIT));
printf (_(UT_VERBOSE));
+ printf ("\n%s\n", _("Note:"));
+ printf ("%s\n", _("If this plugin is called via 'check_ldaps', method 'STARTTLS' will be"));
+ printf (_("implied (using default port %i) unless --port=636 is specified. In that case %s"), DEFAULT_PORT, "\n");
+ printf ("%s\n", _("'SSL on connect' will be used no matter how the plugin was called."));
+ printf ("%s\n", _("This detection is deprecated, please use 'check_ldap' with the '--starttls' or '--ssl' flags"));
+ printf ("%s\n", _("to define the behaviour explicitly instead."));
+
printf (_(UT_SUPPORT));
}