[xymon] bug in ldaptest.c

Rob McBroom mailinglist0 at skurfer.com
Wed Sep 29 17:48:59 CEST 2010


On Sep 29, 2010, at 11:19 AM, Buchan Milne wrote:

> On Wednesday, 29 September 2010 13:21:10 Rob McBroom wrote:
>> 
> 
>> That sounds fine for testing with a URI, but what about a “naked” tag?
>> Currently, it's enough to just say “ldap” or “ldaps” to have the test run
>> with defaults.
> 
> Sure, if all you want to do is test that the port is open. What would you want 
> to occur for an 'ldap' tag regarding STARTTLS?

Ah, OK. I thought the “ldaps” test this thread referred to was just “ldaps” and nothing else. Apparently, “ldap” and “ldaps” are both testing port 389 currently (and nothing more). Adding some details, like “ldaps://server/blah” will do STARTTLS on 389, right?

Although, now that I think about it, that can't be true. I'm using your excellent “ol” test but I left the “ldaps” tag in place so I could get warnings about the SSL certs. If “ldaps” is only checking that the port is open, how can it know anything about the cert? Clearly, there's more going on. If it's hitting port 636 to get the cert, then I wouldn't change anything. If it's doing STARTTLS on 389, then I'm saying “ldapt” (or whatever) should take over that function and “ldaps” should use 636.

-- 
Rob McBroom
<http://www.skurfer.com/>

Don't try to tell me something is important to you if the whole of your “support” entails getting Congress to force *others* to spend time and money on it.




More information about the Xymon mailing list