[xymon] bug in ldaptest.c

Buchan Milne bgmilne at staff.telkomsa.net
Tue Aug 31 18:24:25 CEST 2010


On Tuesday, 31 August 2010 07:18:01 Scott, Brian wrote:
> Matthew,
> 
> STARTTLS uses the normal ldap port rather than the ssl port. The initial
> handshake is done in clear text then the connection is 'upgraded' to ssl
> using the STARTTLS command within the original TCP connection.
> 
> I'm not sure how you tell Xymon to not use STARTTLS and instead use the
> SSL port. From a quick look at the surrounding code it doesn't look very
> obvious to me.
> 
> Actually, looking at the documentation I see:
> 	...LDAP server that use the older non-standard method of
> tunnelling LDAP through SSL on port 636 will not work.
> 
> So it looks like the best you could do is check that the port is open
> and listening.
> 
> Brian
> 
> -----Original Message-----
> From: Epp, Matthew Mr CTR USA USA [mailto:matthew.epp at us.army.mil]
> Sent: Tuesday, 31 August 2010 3:25 AM
> To: xymon at xymon.com
> Subject: [xymon] bug in ldaptest.c

[...]

> The server I'm running the test against is Sun Directory 6.2, so should
> this test work, or should I give up and just use an external script for
> my ldaps testing?

ldaps isn't a standardised (RFC) LDAP feature, whereas STARTTLS is. I assume 
this could be a reason why Henrik initially didn't implement ldaps support, 
instead using ldaps:// to indicate STARTTLS.

We can consider implementing real ldaps support, but then we would need a 
different way to request STARTTLS support in ldap:// URLs in bb-hosts.

I will try and look at this, but to make sure it doesn't get lost, please log 
an feture request SF tracker (there is a link on 
http://sourceforge.net/projects/xymon/support).

Regards,
Buchan



More information about the Xymon mailing list