Added certificate checking option

plugins/edirectory_monitor/libexec/agent_edirectory_monitor

@@ -1,11 +1,16 @@
 #!/usr/bin/env python3
-'''special agent call file'''
+'''special agent call file
+
+Set the environment variable ``LDAP_VERIFY_TLS=1`` or pass ``--verify-tls``
+to enforce TLS certificate verification.
+'''
 # -*- mode: Python; encoding: utf-8; indent-offset: 4; autowrap: nil -*-
 
 # (c) Michael Honkoop <mhonkoop@comsolve.nl>
 
 # License: GNU General Public License v2
 
+import os
 import sys
 import ldap
 from cmk_addons.plugins.edirectory_monitor.lib import (
@@ -14,9 +19,20 @@ from cmk_addons.plugins.edirectory_monitor.lib import (
 
 def main():
     args = sys.argv[1:]
+
+    verify_tls = False
+    if "--verify_tls" in args:
+        verify_tls = True
+        args.remove("--verify_tls")
+
+    env_verify = os.environ.get("LDAP_VERIFY_TLS", "").lower()
+    if env_verify in ("1", "true", "yes"):
+        verify_tls = True
+
     if len(args) < 3:
-        print("Usage: script.py <LDAP_URI> <BIND_DN> <PASSWORD>")
-        sys.exit(1)
+        print("Usage: script.py [--verify_tls] <LDAP_URI> <BIND_DN> <PASSWORD>")
+        return 1
+    
     ldap_uri = args[0]
     binddn = args[1] 
     pw = args[2]
@@ -24,9 +40,13 @@ def main():
     searchFilter = "(objectClass=*)"
     searchAttribute = ["*"]
     searchScope = ldap.SCOPE_SUBTREE
+
+    l = None
     try:
-        # ignore TLS certificate checking
-        ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
+        if verify_tls:
+            ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND)
+        else:
+            ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
         # Create LDAPObject instance with given uri
         l = ldap.initialize(ldap_uri)
         # Set LDAP protocol version used
@@ -96,7 +116,7 @@ def main():
     finally:
         if l is not None:
                 l.unbind_s()
-                
+
 if __name__ == "__main__":
     main()