[xymon] bug in ldaptest.c

Buchan Milne bgmilne at staff.telkomsa.net
Wed Sep 29 00:32:09 CEST 2010


On Monday, 27 September 2010 20:58:19 Henrik "Størner" wrote:
> In <201009271934.40635.bgmilne at staff.telkomsa.net> Buchan Milne 
<bgmilne at staff.telkomsa.net> writes:
> >On Thursday, 23 September 2010 14:18:51 Henrik "St=C3=B8rner" wrote:
> >> The major problem with this is that Xymon uses the OpenLDAP library
> >> to talk to the LDAP server (the LDAP protocol itself is a bit too
> >> complex for Xymon to do on its own). And OpenLDAP only supports the
> >> RFC-way of doing SSL.
> >
> >This isn't true. Almost all LDAP client software (pam_ldap, nss_ldap,
> >samba= ,=20
> >freeradius, ldapsearch etc., apache mod_ldap, etc., to name a few)
> >using=20 OpenLDAP libldap (at least with OpenSSL, I'm not too familiar
> >with=20 OpenLDAP+gnutls) supports original Netscape-style ldaps (which is
> >usually o= n=20
> >port 636).
> 
> Okay, I haven't looked at OpenLDAP since I implemented the LDAP tests
> (quite some time ago). The SSL support then wasn't documented at all,
> so I had to go by some sample code included with the library. If that
> has changed and we can support port-636-ldaps somehow then sure - let's
> do it. We probably need to invent a different tag in bb-hosts for it,
> but that's a minor problem.

Most people will expect "ldaps" to mean LDAP over SSL.. IMHO, we should either 
create a new tag for LDAP with STARTTLS, or use a bind extension in the 
existing ldap tag (IOW, keep it a quasi-valid LDAP URI).

AFAIK, there is no standard bind extension for starttls, but we could use 
something like:

ldap://hostname/????starttls

(or:
ldap://ldap.mydomain.com/dc=mydomain,dc=com?uid?sub?"(uid=testuser)"?starttls
)

Regards,
Buchan



More information about the Xymon mailing list