When attempting to use the check_ldap plugin, I found that unsecured LDAP lookups on port 389/TCP worked fine, but attempting a secure lookup on 636 or using TLS failed.
Attempting a check_ldap check normally worked fine (i.e. to port 389), but attempting an LDAPS or LDAP TLS check failed with the following error:
# /usr/local/nagios/libexec/check_ldaps -H <HOSTNAME> -p 636 -S -a "(objectclass=organizationalUnit)" -b "dc=domain,dc=co,dc=uk" -3 -v
ldap_bind: Can't contact LDAP server (-1)
additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
Could not bind to the LDAP server
The check_ldap plugin makes use of OpenLDAP, the OpenLDAP package is installed as part of the NagiosXI installation because the plugins have dependencies on it but it is left in a non-configured state.
To resolve the problem on each node (wtgc-nagios-01 and wtgc-nagios-02) the following is required, firstly edit the file: /etc/openldap/ldap.conf and at the bottom of the file add the following line:
TLS_REQCERT allow
Then performing the check again gives the expected response:
# /usr/local/nagios/libexec/check_ldaps -H <HOSTNAME> -p 636 -S -a "(objectclass=organizationalUnit)" -b "dc=domain,dc=co,dc=uk" -3 -v
LDAP OK - 0.050 seconds response time|time=0.049688s;;;0.000000