[xymon] bug in ldaptest.c
Buchan Milne
bgmilne at staff.telkomsa.net
Tue Aug 31 18:24:25 CEST 2010
On Tuesday, 31 August 2010 07:18:01 Scott, Brian wrote:
> Matthew,
>
> STARTTLS uses the normal ldap port rather than the ssl port. The initial
> handshake is done in clear text then the connection is 'upgraded' to ssl
> using the STARTTLS command within the original TCP connection.
>
> I'm not sure how you tell Xymon to not use STARTTLS and instead use the
> SSL port. From a quick look at the surrounding code it doesn't look very
> obvious to me.
>
> Actually, looking at the documentation I see:
> ...LDAP server that use the older non-standard method of
> tunnelling LDAP through SSL on port 636 will not work.
>
> So it looks like the best you could do is check that the port is open
> and listening.
>
> Brian
>
> -----Original Message-----
> From: Epp, Matthew Mr CTR USA USA [mailto:matthew.epp at us.army.mil]
> Sent: Tuesday, 31 August 2010 3:25 AM
> To: xymon at xymon.com
> Subject: [xymon] bug in ldaptest.c
[...]
> The server I'm running the test against is Sun Directory 6.2, so should
> this test work, or should I give up and just use an external script for
> my ldaps testing?
ldaps isn't a standardised (RFC) LDAP feature, whereas STARTTLS is. I assume
this could be a reason why Henrik initially didn't implement ldaps support,
instead using ldaps:// to indicate STARTTLS.
We can consider implementing real ldaps support, but then we would need a
different way to request STARTTLS support in ldap:// URLs in bb-hosts.
I will try and look at this, but to make sure it doesn't get lost, please log
an feture request SF tracker (there is a link on
http://sourceforge.net/projects/xymon/support).
Regards,
Buchan
More information about the Xymon
mailing list