On Tuesday, 31 August 2010 07:18:01 Scott, Brian wrote:
Matthew,
STARTTLS uses the normal ldap port rather than the ssl port. The initial handshake is done in clear text then the connection is 'upgraded' to ssl using the STARTTLS command within the original TCP connection.
I'm not sure how you tell Xymon to not use STARTTLS and instead use the SSL port. From a quick look at the surrounding code it doesn't look very obvious to me.
Actually, looking at the documentation I see: ...LDAP server that use the older non-standard method of tunnelling LDAP through SSL on port 636 will not work.
So it looks like the best you could do is check that the port is open and listening.
Brian
-----Original Message----- From: Epp, Matthew Mr CTR USA USA [mailto:matthew.epp at us.army.mil] Sent: Tuesday, 31 August 2010 3:25 AM To: xymon at xymon.com Subject: [xymon] bug in ldaptest.c
[...]
The server I'm running the test against is Sun Directory 6.2, so should this test work, or should I give up and just use an external script for my ldaps testing?
ldaps isn't a standardised (RFC) LDAP feature, whereas STARTTLS is. I assume this could be a reason why Henrik initially didn't implement ldaps support, instead using ldaps:// to indicate STARTTLS.
We can consider implementing real ldaps support, but then we would need a different way to request STARTTLS support in ldap:// URLs in bb-hosts.
I will try and look at this, but to make sure it doesn't get lost, please log an feture request SF tracker (there is a link on http://sourceforge.net/projects/xymon/support).
Regards, Buchan