diff -Naur -x '*.orig' -x '*.rej' -x '*~' -x '*.swp' nagios-plugins-1.4.14/plugins/check_ldap.c nagios-plugins-1.4.14-check_ldap_certificate/plugins/check_ldap.c --- nagios-plugins-1.4.14/plugins/check_ldap.c 2009-02-20 00:55:23.000000000 +0100 +++ nagios-plugins-1.4.14-check_ldap_certificate/plugins/check_ldap.c 2009-09-20 23:54:15.000000000 +0200 @@ -71,6 +71,9 @@ int ssl_on_connect = FALSE; int verbose = 0; +int check_cert = FALSE; +int days_till_exp; + /* for ldap tls */ char *SERVICE = "LDAP"; @@ -156,6 +159,9 @@ printf (_("Could not init TLS at port %i!\n"), ld_port); return STATE_CRITICAL; } + + if (check_cert == TRUE) + return ldap_check_cert(ld); #else printf (_("TLS not supported by the libraries!\n")); return STATE_CRITICAL; @@ -180,6 +186,9 @@ printf (_("Could not init startTLS at port %i!\n"), ld_port); return STATE_CRITICAL; } + + if (check_cert == TRUE) + return ldap_check_cert(ld); #else printf (_("startTLS not supported by the library, needs LDAPv3!\n")); return STATE_CRITICAL; @@ -257,6 +266,7 @@ #endif {"starttls", no_argument, 0, 'T'}, {"ssl", no_argument, 0, 'S'}, + {"certificate", required_argument, 0, 'C'}, {"use-ipv4", no_argument, 0, '4'}, {"use-ipv6", no_argument, 0, '6'}, {"port", required_argument, 0, 'p'}, @@ -275,7 +285,7 @@ } while (1) { - c = getopt_long (argc, argv, "hvV234TS6t:c:w:H:b:p:a:D:P:", longopts, &option); + c = getopt_long (argc, argv, "hvV234TS6t:c:w:H:b:p:a:D:P:C:", longopts, &option); if (c == -1 || c == EOF) break; @@ -337,6 +347,18 @@ else usage_va(_("%s cannot be combined with %s"), "-T/--starttls", "-S/--ssl"); break; + case 'C': /* Check SSL cert validity */ + if (starttls || ssl_on_connect || strstr(argv[0],"check_ldaps")) { + if (!is_intnonneg (optarg)) + usage2 (_("Invalid certificate expiration period"), optarg); + else { + days_till_exp = atoi (optarg); + check_cert = TRUE; + } + } else { + usage_va(_("%s requires either %s or %s"), "-C/--certificate", "-S/--ssl", "-T/--starttls"); + } + break; case 'S': if (! starttls) { ssl_on_connect = TRUE; @@ -415,6 +437,9 @@ printf (" %s\n", "-S [--ssl]"); printf (" %s %i\n", _("use ldaps (ldap v2 ssl method). this also sets the default port to"), LDAPS_PORT); + printf (" %s\n", "-C [--certificate]"); + printf (" %s\n", _("Minimum number of days a certificate has to be valid")); + #ifdef HAVE_LDAP_SET_OPTION printf (" %s\n", "-2 [--ver2]"); printf (" %s\n", _("use ldap protocol version 2")); @@ -454,7 +479,7 @@ { printf (_("Usage:")); printf (" %s -H <host> -b <base_dn> [-p <port>] [-a <attr>] [-D <binddn>]",progname); - printf ("\n [-P <password>] [-w <warn_time>] [-c <crit_time>] [-t timeout]%s\n", + printf ("\n [-P <password>] [-w <warn_time>] [-c <crit_time>] [-t timeout] [-C <age>]%s\n", #ifdef HAVE_LDAP_SET_OPTION "\n [-2|-3] [-4|-6]" #else @@ -462,3 +487,16 @@ #endif ); } + +int ldap_check_cert (LDAP *ld) +{ + SSL *ssl; + int rc; + + rc = ldap_get_option(ld, LDAP_OPT_X_TLS_SSL_CTX, &ssl); + if (rc == LDAP_OPT_ERROR || ssl == NULL) { + printf ("%s\n",_("CRITICAL - Cannot retrieve ssl session from connection.")); + return STATE_CRITICAL; + } + return np_net_ssl_check_cert_real(ssl, days_till_exp); +} diff -Naur -x '*.orig' -x '*.rej' -x '*~' -x '*.swp' nagios-plugins-1.4.14/plugins/Makefile.am nagios-plugins-1.4.14-check_ldap_certificate/plugins/Makefile.am --- nagios-plugins-1.4.14/plugins/Makefile.am 2009-06-06 09:04:48.000000000 +0200 +++ nagios-plugins-1.4.14-check_ldap_certificate/plugins/Makefile.am 2009-09-20 23:54:15.000000000 +0200 @@ -72,7 +72,7 @@ check_game_LDADD = $(BASEOBJS) runcmd.o check_http_LDADD = $(SSLOBJS) $(NETLIBS) $(SSLLIBS) check_hpjd_LDADD = $(NETLIBS) popen.o -check_ldap_LDADD = $(NETLIBS) $(LDAPLIBS) +check_ldap_LDADD = $(SSLOBJS) $(NETLIBS) $(LDAPLIBS) check_load_LDADD = $(BASEOBJS) popen.o check_mrtg_LDADD = $(BASEOBJS) check_mrtgtraf_LDADD = $(BASEOBJS) @@ -118,7 +118,7 @@ check_http_DEPENDENCIES = check_http.c $(SSLOBJS) $(NETOBJS) $(DEPLIBS) check_hpjd_DEPENDENCIES = check_hpjd.c $(NETOBJS) popen.o $(DEPLIBS) check_ide_smart_DEPENDENCIES = check_ide_smart.c $(BASEOBJS) $(DEPLIBS) -check_ldap_DEPENDENCIES = check_ldap.c $(NETOBJS) $(DEPLIBS) +check_ldap_DEPENDENCIES = check_ldap.c $(SSLOBJS) $(NETOBJS) $(DEPLIBS) check_load_DEPENDENCIES = check_load.c $(BASEOBJS) popen.o $(DEPLIBS) check_mrtg_DEPENDENCIES = check_mrtg.c $(DEPLIBS) check_mrtgtraf_DEPENDENCIES = check_mrtgtraf.c $(DEPLIBS) diff -Naur -x '*.orig' -x '*.rej' -x '*~' -x '*.swp' nagios-plugins-1.4.14/plugins/netutils.h nagios-plugins-1.4.14-check_ldap_certificate/plugins/netutils.h --- nagios-plugins-1.4.14/plugins/netutils.h 2009-05-21 23:11:51.000000000 +0200 +++ nagios-plugins-1.4.14-check_ldap_certificate/plugins/netutils.h 2009-09-20 23:54:15.000000000 +0200 @@ -104,6 +104,7 @@ int np_net_ssl_write(const void *buf, int num); int np_net_ssl_read(void *buf, int num); int np_net_ssl_check_cert(int days_till_exp); +int np_net_ssl_check_cert_real(SSL *ssl, int days_till_exp); #endif /* HAVE_SSL */ #endif /* _NETUTILS_H_ */ diff -Naur -x '*.orig' -x '*.rej' -x '*~' -x '*.swp' nagios-plugins-1.4.14/plugins/sslutils.c nagios-plugins-1.4.14-check_ldap_certificate/plugins/sslutils.c --- nagios-plugins-1.4.14/plugins/sslutils.c 2009-05-21 23:11:51.000000000 +0200 +++ nagios-plugins-1.4.14-check_ldap_certificate/plugins/sslutils.c 2009-09-20 23:57:58.000000000 +0200 @@ -96,6 +96,15 @@ int np_net_ssl_check_cert(int days_till_exp){ # ifdef USE_OPENSSL + return np_net_ssl_check_cert_real(s, days_till_exp); +# else /* ifndef USE_OPENSSL */ + printf ("%s\n", _("WARNING - Plugin does not support checking certificates.")); + return STATE_WARNING; +# endif /* USE_OPENSSL */ +} + +int np_net_ssl_check_cert_real(SSL *ssl, int days_till_exp){ +# ifdef USE_OPENSSL X509 *certificate=NULL; ASN1_STRING *tm; int offset;