Question:

This script check_univention_ldap internally executes check_ldap again, trying to access /etc/machine.secret. Since the user nagios does not have read access to the file, instead of a
result you get:
read_password_file: open failed

Answer:

We have a check_univention_ldap_suidwrapper that calls check_univention_ldap extra with root privileges. So our Nagios check uses the suidwrapper

rgrep check_univention_ldap /etc/nagios/*
/etc/nagios/nrpe.univention.d/UNIVENTION_LDAP_AUTH.cfg:command[UNIVENTION_LDAP_AUTH]=/usr/lib/nagios/plugins/check_univention_ldap_suidwrapper