This plugin checks if a Windows domain user ID is locked out by querying the AD repository through LDAP. Many support teams cannot handle complex passwords even with writing them down. :-) As a result, batch jobs fail, application access is locked, or worse...
The plugin is written in 'C' and depends on the OpenLDAP 'C' library and development headers. It can be compiled standalone, independend of other Nagios plugins. It supports only cleartext connections, LDAPS is not yet implemented.
fm@susie: ~ # rpm -q -a |grep openldap openldap2-devel-2.4.12-7.16 openldap2-client-2.4.12-7.19.1
gcc -o check_ldap_lockout check_ldap_lockout.c -lldap
check_ldap_logout [-h] | -H <ldap host> [-p <ldap port>] -U <ldap user> -P <ldap pass> -B <base DN> -C <account_name> [-v]
-h, --help
print this help message
-H, --host=HOSTNAME|IP
name or IP address of host to check
-p, --port=INTEGER
the LDAP server's TCP port number (Default: 389)
-U, --user=STRING
the LDAP bind user DN
-P, --pass=STRING
the LDAP bind users password
-B, --base=STRING
the LDAP base to search from (eg. ou=my unit, o=my org)
-C, --check=STRING
the the AD account name to check for lockout
-V, --version
prints version number
-v, --verbose
print extra debugging information
Below is an example of the plugin definition in the Nagios command.cfg file.
# check_ldap_lockout nagios plugin
define command{
command_name check_ldap_lockout
command_line $USER1$/check_ldap_lockout -H $HOSTADDRESS$ -U $ARG1$ -P $ARG2$ -B $ARG3$ -C $ARG4$
}
The plugin with its most basic use, returning the account lockout status of the Windows account 'support' against a AD domain controller with IP 192.168.1.25, using the AD account 'ldap' for queries in domain 'frank4dd.com'.
susie: ~ # cd /srv/app/nagios/libexec susie: ~ # ./check_ldap_lockout -H 192.168.1.25 -U [email protected] -P p@ssw0rd -B OU=User,DC=frank4dd,DC=com -C support OK: Account support is active
A example query with a user being locked out:
susie: ~ # ./check_ldap_lockout -H 192.158.1.25 -U [email protected] -P p@ssw0rd -B OU=User,DC=frank4dd,DC=com -C support CRITICAL: Account support locked out at Tue Dec 28 09:53:19 2010
A example query with verbose output for troubleshooting:
susie: ~ # cd /srv/app/nagios/libexec susie: ~ # ./check_ldap_lockout -H 192.168.1.25 -U [email protected] -P p@ssw0rd -B OU=User,DC=frank4dd,DC=com -C support -v Connecting to host [192.168.1.25] at port [389] with user [[email protected]] and pw [p@ssw0rd] Generated LDAP handle. Set LDAPv3 client version. LDAP connection successful. Using Search filter [(&(objectClass=user)(sAMAccountName=support))]. LDAP search successful. LDAP search returned 1 objects. Found object [CN=support,OU=IT_Department,OU=User,DC=frank4dd,DC=com] Found attribute: [displayName] value [IT Support Account] Found attribute: [lockoutTime] value [0] Windows timestring converted to number [0] OK: Account support is active