Nagios/checks/ldap

From S23Wiki
Jump to: navigation, search

A check to see if LDAP is working


Contents

Define Service check

(the actual check defanation) add this to the local services folder on the Nagios server

'/opt/nagios/etc/local/services'

  1. cat ldap.cfg
define service {
        service_description     ldap
        display_name            ldap Lightweight Directory Access Protocol
        check_command           check_ldap
        use                     generic-service
        servicegroups           ldap
        hostgroup_name          ldap_server
}


Define a Service group

(a service group to look at all LDAP monitoring)

/opt/nagios/etc/local/servicegroups

  1. cat ldap.cfg
define servicegroup {
        servicegroup_name       ldap
        alias                   ldap Lightweight Directory Access Protocol
}


Define a host-template

Used for adding the check to a server

/opt/nagios/etc/local/host-templates

  1. cat ldap.cfg
define host{
        name            ldap
        hostgroups      +ldap_server
        notes           ldap Lightweight Directory Access Protocol
        register        0
}


Define a Hostgroup

/opt/nagios/etc/local/hostgroups

  1. cat ldap.cfg
define hostgroup {
        hostgroup_name  ldap_server
        alias           ldap Lightweight Directory Access Protocol
}


Define the command

/opt/nagios/etc/local/commands

  1. cat ldap.cfg
define command {
        command_name    check_ldap
        command_line     $USER1$/check_ldap.pl -t 30 -H $HOSTADDRESS$ 
}




Add check to host

define host {
        use             ldap
x
x
x

}


Genral

add the check script to plugins folder

'/opt/nagios/plugins/libexec/'


a quick `chown -R nagios:nagios /opt/nagios/` never did any harm

then make it exacutable

chmod u+x /opt/nagios/plugins/libexec/check_ldap.pl



Check config

/opt/nagios/bin/nagios -v /opt/nagios/etc/nagios.cfg /opt/nagios/bin/nagios -v /opt/nagios/etc/nagios.cfg




Check script [check_ldap.pl]

'/opt/nagios/plugins/libexec/'

  #!/usr/bin/perl -w
  ####################### check_ldap.pl #######################
  # Version : 1.0
  # Date : 24 Jul 2007 
  # Author  : De Bodt Lieven (Lieven.DeBodt at gmail.com)
  # Licence : GPL - http://www.fsf.org/licenses/gpl.txt
  #############################################################
  #
  # help : ./check_ldap.pl -h
  
  use strict;
  use Net::LDAP;
  use Net::LDAPS;
  use Net::LDAP::Util qw(ldap_error_text);
  use Getopt::Long;
  
  # Nagios specific
  
  use lib "/opt/nagios/plugins/libexec";
  use utils qw(%ERRORS $TIMEOUT);
  #my %ERRORS=('OK'=>0,'WARNING'=>1,'CRITICAL'=>2,'UNKNOWN'=>3,'DEPENDENT'=>4);
  
  # Globals
  
  my $Version='1.0';
  my $Name=$0;
  my $o_ldap_port = 	389; 		# ldap port
  my $o_ldaps_port = 	636; 		# ldap + ssl port
  
  my $o_host =		undef; 		# hostname 
  my $o_login=		undef;		# LDAP login
  my $o_help=		undef; 		# wan't some help ?
  my $o_passwd=		undef;		# LDAP password
  my $o_port = 		undef; 		# ldap port
  my $o_version= 		undef;  	# print version
  my $o_ssl=		undef; 		# use ssl
  my $o_timeout=  	15;            	# Default 15s Timeout
  
  # functions
  
  sub show_versioninfo { print "$Name version : $Version\n"; }
  
  sub print_usage {
      print "Usage: $Name -H <host> [-l login -x passwd] [-p <port>] [-s] [-t <timeout>] [-V]\n";
  }
  
  # Get the alarm signal (just in case ldap timout screws up)
  $SIG{'ALRM'} = sub {
       print ("ERROR: Alarm signal (Nagios time-out)\n");
       exit $ERRORS{"CRITICAL"};
  };
  
  sub help {
     print "\nLDAP Monitor for Nagios version ",$Version,"\n";
     print "GPL licence, (c)2006-2007 De Bodt Lieven\n\n";
     print_usage();
     print <<EOT;
  -h, --help
     print this help message
  -H, --hostname=HOST
     name or IP address of host to check
  -l, --login=LOGIN
     Login for ldap authentication (if not specified $Name uses anonymous)
  -x, --passwd=PASSWD
     Password for ldap authentication
  -p, --port=PORT
     LDAP port (Default $o_ldap_port)
  -s, --ssl
     LDAPS (Default false, if true, default port is $o_ldaps_port )
  -t, --timeout=INTEGER
     timeout in seconds (Default: $o_timeout)
  -V, --version
     prints version number
  Note :
    The script will return 
      OK if we are able to connect and bind to the LDAP server,
      WARNING if we are able to connect but not bind to the LDAP server 
      CRITICAL if we aren't able to connect to the LDAP server
  EOT
  }
  
  sub check_options {
      Getopt::Long::Configure ("bundling");
      GetOptions(
          'h'     => \$o_help,    	'help'        	=> \$o_help,
          'H:s'   => \$o_host,		'hostname:s'	=> \$o_host,
          'l:s'   => \$o_login,           'login:s'       => \$o_login,
          'p:i'   => \$o_port,   		'port:i'	=> \$o_port,
          's'     => \$o_ssl,          	'ssl'      	=> \$o_ssl,
  	't:i'   => \$o_timeout,       	'timeout:i'     => \$o_timeout,
  	'V'     => \$o_version,         'version'       => \$o_version,
          'x:s'   => \$o_passwd,          'passwd:s'      => \$o_passwd
      );
      if (defined ($o_help)) { help(); exit $ERRORS{"UNKNOWN"}};
      if (defined($o_version)) { show_versioninfo(); exit $ERRORS{"UNKNOWN"}};
      # check ldap login information
      if ((defined($o_login) && !defined($o_passwd)) || (!defined($o_login) && defined($o_passwd)))
          { print "Put ldap login info!\n"; print_usage(); exit $ERRORS{"UNKNOWN"}}
      # Check compulsory attributes
      if ( !defined($o_host) ) { print_usage(); exit $ERRORS{"UNKNOWN"}};
  }
  
  ########## MAIN #######
  
  check_options();
  
  my $ldap;
  if (!defined($o_ssl)) {
    if (defined($o_port)) {
      $ldap = Net::LDAP->new( $o_host, port => $o_port, version => 3, timeout => $o_timeout );
    } else {
      $ldap = Net::LDAP->new( $o_host, port => $o_ldap_port, version => 3, timeout => $o_timeout );
    }
  } else { 
    if (defined($o_port)) {
      $ldap = Net::LDAPS->new( $o_host, port => $o_port, version => 3, timeout => $o_timeout );
    } else {
      $ldap = Net::LDAPS->new( $o_host, port => $o_ldaps_port, version => 3, timeout => $o_timeout );
    }
  }
  
  if ($ldap) {
    my $mesg;
    if (defined($o_login) && defined($o_passwd)) {
      $mesg = $ldap->bind( $o_login, password=>$o_passwd ); # Bind to the directory server by specifying a login and password
    } else {
      $mesg = $ldap->bind();                                # Bind anonymously to the directory server
    }
    if ($mesg->code) {
      my $errstr = $mesg->code;
      $mesg = $ldap->unbind(); # Unbind from the directory server
      printf("WARNING %d: %s\n", $errstr, ldap_error_text($errstr));
      exit $ERRORS{"WARNING"};
    } else {
      $mesg= $ldap->unbind();  # Unbind from the directory server
      print "OK\n";
      exit $ERRORS{"OK"};
    }
  } else {
    print "CRITICAL\n";
    exit $ERRORS{"CRITICAL"};
  }