On Tuesday, 31 August 2010 07:18:01 Scott, Brian wrote:
Matthew,
STARTTLS uses the normal ldap port rather than the ssl port. The initial
handshake is done in clear text then the connection is 'upgraded' to ssl
using the STARTTLS command within the original TCP connection.
I'm not sure how you tell Xymon to not use STARTTLS and instead use the
SSL port. From a quick look at the surrounding code it doesn't look very
obvious to me.
Actually, looking at the documentation I see:
...LDAP server that use the older non-standard method of
tunnelling LDAP through SSL on port 636 will not work.
So it looks like the best you could do is check that the port is open
and listening.
Brian
-----Original Message-----
From: Epp, Matthew Mr CTR USA USA [mailto:user-c07bdcff406c@xymon.invalid]
Sent: Tuesday, 31 August 2010 3:25 AM
To: xymon at xymon.com
Subject: [xymon] bug in ldaptest.c
[...]
The server I'm running the test against is Sun Directory 6.2, so should
this test work, or should I give up and just use an external script for
my ldaps testing?
ldaps isn't a standardised (RFC) LDAP feature, whereas STARTTLS is. I assume
this could be a reason why Henrik initially didn't implement ldaps support,
instead using ldaps:// to indicate STARTTLS.
We can consider implementing real ldaps support, but then we would need a
different way to request STARTTLS support in ldap:// URLs in bb-hosts.
I will try and look at this, but to make sure it doesn't get lost, please log
an feture request SF tracker (there is a link on
http://sourceforge.net/projects/xymon/support).
Regards,
Buchan