On Thursday, 23 September 2010 14:18:51 Henrik "Størner" wrote:
In <user-ab481b8898d2@xymon.invalid> Buchan Milne
<user-9b139aff4dec@xymon.invalid> writes:
ldaps isn't a standardised (RFC) LDAP feature, whereas STARTTLS is. I
assume this could be a reason why Henrik initially didn't implement ldaps
support, instead using ldaps:// to indicate STARTTLS.
We can consider implementing real ldaps support, but then we would need a
different way to request STARTTLS support in ldap:// URLs in bb-hosts.
The major problem with this is that Xymon uses the OpenLDAP library
to talk to the LDAP server (the LDAP protocol itself is a bit too
complex for Xymon to do on its own). And OpenLDAP only supports the
RFC-way of doing SSL.
This isn't true. Almost all LDAP client software (pam_ldap, nss_ldap, samba, freeradius, ldapsearch etc., apache mod_ldap, etc., to name a few) using OpenLDAP libldap (at least with OpenSSL, I'm not too familiar with OpenLDAP+gnutls) supports original Netscape-style ldaps (which is usually on port 636).
I can look at fixing this, but we need to decide if we are going to change to interpreting ldaps really as ldaps://, and how to distinguish ldap:// with STARTTLS.
Regards,
Buchan