I have a problem with my ldap server. It only starts when all certificates defined by TLS_CACERTDIR in /etc/openldap/ldap.conf are readable. This is not a big issue for itself and can be fixed by "chmod -R +r /path/to/certdir".
Unfortunately updates e.g of the imap install new certificates in that directory and don't care whether the user ldap can read them or not. The ldap still keeps running. So far everything is fine. But when I have to reboot the ldap server host e.g. for kernel updates the ldap server does not boot. As I perform these reboots only rarely this usually causes confusion and trouble. I have a second and third fallback ldap server thus my system is still functional. Nevertheless it takes some time until I recognize that the primary ldap server has not come back. Then there is a lot of panic until I read my ldap-reboot-issue documentation and remember that there was a problem concerning the certificates.
I wrote a small script to check whether all files in a directory are readable:
Code:
#!/bin/bash
USAGE="
Checks if all files in the target directory are readable.
Usage: $(basename $0) [-h] -d <directory>
directoy: a folder in which all files shall be checked for read access
e.g.: $(basename $0) -d /var/log
"
while getopts hd: OPT
do
case "$OPT" in
h) echo $USAGE
exit 1
;;
d) DIRECTORY=$OPTARG
;;
[?]) echo $USAGE >&2
exit 1
;;
esac
done
# check parameters
if [ "$DIRECTORY" == "" ]
then
echo $USAGE
exit 1
fi
ALLREADABLE=1
for FILE in $DIRECTORY/*
do
if [ ! -r $FILE ]
then
ALLREADABLE=0
fi
done
if [ $ALLREADABLE -eq 0 ]
then
echo "Not all files in $DIRECTORY are readable. This might result from an automatic update. Check which files are affected manually"
exit 1
else
echo "ldap: All files in $DIRECTORY readable by $(whoami) - this is good!"
fi
exit 0
Currently I installed a cronjob to check the certificates "crontab -e -u ldap":
Code:
MAILTO="root"
00 14 * * * /path/to/checkFilesForRead.sh -d /etc/openldap/cacerts
MAILTO=""
But I would rather like to have it as a Nagios check. Is there a way to run this script via nrpe as user "ldap" where all other nrpe checks are performed by user "nrpe"? Or is there a different way to let a check executed as user "nrpe" inspect whether a file is readable by user "ldap"?