[xymon] bug in ldaptest.c
Buchan Milne
bgmilne at staff.telkomsa.net
Mon Sep 27 20:34:40 CEST 2010
On Thursday, 23 September 2010 14:18:51 Henrik "Størner" wrote:
> In <201008311724.25873.bgmilne at staff.telkomsa.net> Buchan Milne
<bgmilne at staff.telkomsa.net> writes:
> >ldaps isn't a standardised (RFC) LDAP feature, whereas STARTTLS is. I
> >assume this could be a reason why Henrik initially didn't implement ldaps
> >support, instead using ldaps:// to indicate STARTTLS.
> >
> >We can consider implementing real ldaps support, but then we would need a
> >different way to request STARTTLS support in ldap:// URLs in bb-hosts.
>
> The major problem with this is that Xymon uses the OpenLDAP library
> to talk to the LDAP server (the LDAP protocol itself is a bit too
> complex for Xymon to do on its own). And OpenLDAP only supports the
> RFC-way of doing SSL.
This isn't true. Almost all LDAP client software (pam_ldap, nss_ldap, samba,
freeradius, ldapsearch etc., apache mod_ldap, etc., to name a few) using
OpenLDAP libldap (at least with OpenSSL, I'm not too familiar with
OpenLDAP+gnutls) supports original Netscape-style ldaps (which is usually on
port 636).
I can look at fixing this, but we need to decide if we are going to change to
interpreting ldaps really as ldaps://, and how to distinguish ldap:// with
STARTTLS.
Regards,
Buchan
More information about the Xymon
mailing list