On Monday, 27 September 2010 20:58:19 Henrik "Størner" wrote:
In <user-e04c2c27b8a9@xymon.invalid> Buchan Milne
<user-9b139aff4dec@xymon.invalid> writes:
On Thursday, 23 September 2010 14:18:51 Henrik "St=C3=B8rner" wrote:
The major problem with this is that Xymon uses the OpenLDAP library
to talk to the LDAP server (the LDAP protocol itself is a bit too
complex for Xymon to do on its own). And OpenLDAP only supports the
RFC-way of doing SSL.
This isn't true. Almost all LDAP client software (pam_ldap, nss_ldap,
samba= ,=20
freeradius, ldapsearch etc., apache mod_ldap, etc., to name a few)
using=20 OpenLDAP libldap (at least with OpenSSL, I'm not too familiar
with=20 OpenLDAP+gnutls) supports original Netscape-style ldaps (which is
usually o= n=20
port 636).
Okay, I haven't looked at OpenLDAP since I implemented the LDAP tests
(quite some time ago). The SSL support then wasn't documented at all,
so I had to go by some sample code included with the library. If that
has changed and we can support port-636-ldaps somehow then sure - let's
do it. We probably need to invent a different tag in bb-hosts for it,
but that's a minor problem.
Most people will expect "ldaps" to mean LDAP over SSL.. IMHO, we should either
create a new tag for LDAP with STARTTLS, or use a bind extension in the
existing ldap tag (IOW, keep it a quasi-valid LDAP URI).
AFAIK, there is no standard bind extension for starttls, but we could use
something like:
ldap://hostname/????starttls
(or:
ldap://ldap.mydomain.com/dc=mydomain,dc=com?uid?sub?"(uid=testuser)"?starttls
)
Regards,
Buchan