[xymon] bug in ldaptest.c

Scott, Brian brian.scott4 at det.nsw.edu.au
Tue Aug 31 08:18:01 CEST 2010


Matthew,

STARTTLS uses the normal ldap port rather than the ssl port. The initial
handshake is done in clear text then the connection is 'upgraded' to ssl
using the STARTTLS command within the original TCP connection.

I'm not sure how you tell Xymon to not use STARTTLS and instead use the
SSL port. From a quick look at the surrounding code it doesn't look very
obvious to me.

Actually, looking at the documentation I see:
	...LDAP server that use the older non-standard method of
tunnelling LDAP through SSL on port 636 will not work.

So it looks like the best you could do is check that the port is open
and listening.

Brian

-----Original Message-----
From: Epp, Matthew Mr CTR USA USA [mailto:matthew.epp at us.army.mil] 
Sent: Tuesday, 31 August 2010 3:25 AM
To: xymon at xymon.com
Subject: [xymon] bug in ldaptest.c

So it appears that there's a bug in part of the ldap testing code.

---
bbnet/ldaptest.c (lines 85-86)
                 dbgprintf("Forcing port %d for ldaps with STARTTLS\n",
LDAP_PORT );
                 ludp->lud_port = LDAP_PORT;
---

Even if you're attempting an ldaps test with a specified port, the test
is still only performing a
389 port test. I changed LDAP_PORT to LDAPS_PORT and recompiled, then
tried an ldaps test again, however now it just doesn't appear to
connect.

---
2010-08-27 16:06:45 Opening file /home/xymon/server/etc/bb-hosts
2010-08-27 16:06:45 Adding hostname 'x.x.x.x' to resolver queue
2010-08-27 16:06:45 Processing 1 DNS lookups with ARES
2010-08-27 16:06:45 Got DNS result for host x.x.x.x : 10.x.x.x
2010-08-27 16:06:45 Finished ARES queue after loop 2
2010-08-27 16:06:45 Concurrency evaluation: rlim_cur=1024, FD_SETSIZE=0,
absmax=1024, initial=1014
2010-08-27 16:06:45 About to do 0 TCP tests running 256 in parallel,
abs.max 1014
2010-08-27 16:06:45 TCP tests completed normally
2010-08-27 16:06:45 Forcing port 636 for ldaps with STARTTLS
2010-08-27 16:06:45 Initiating LDAP session for host x.x.x.x port 636
2010-08-27 16:06:45 Attempting to select LDAPv3
2010-08-27 16:06:45 Trying to enable TLS for session
2010-08-27 16:06:55 ldap_start_tls failed
URL        :
ldaps://x.x.x.x/ou=people,dc=x,dc=x,dc=x?dn?sub?uid=healthcheck
Time spent : 0.00
LDAP output:
Can't contact LDAP server
---

The server I'm running the test against is Sun Directory 6.2, so should
this test work, or should I give up and just use an external script for
my ldaps testing?

To unsubscribe from the xymon list, send an e-mail to
xymon-unsubscribe at xymon.com


**********************************************************************
This message is intended for the addressee named and may contain
privileged information or confidential information or both. If you
are not the intended recipient please delete it and notify the sender.
**********************************************************************



More information about the Xymon mailing list