On Thursday, 23 September 2010 14:18:51 Henrik "Størner" wrote:
In <201008311724.25873.bgmilne at staff.telkomsa.net> Buchan Milne <bgmilne at staff.telkomsa.net> writes:
ldaps isn't a standardised (RFC) LDAP feature, whereas STARTTLS is. I assume this could be a reason why Henrik initially didn't implement ldaps support, instead using ldaps:// to indicate STARTTLS.
We can consider implementing real ldaps support, but then we would need a different way to request STARTTLS support in ldap:// URLs in bb-hosts.
The major problem with this is that Xymon uses the OpenLDAP library to talk to the LDAP server (the LDAP protocol itself is a bit too complex for Xymon to do on its own). And OpenLDAP only supports the RFC-way of doing SSL.
This isn't true. Almost all LDAP client software (pam_ldap, nss_ldap, samba, freeradius, ldapsearch etc., apache mod_ldap, etc., to name a few) using OpenLDAP libldap (at least with OpenSSL, I'm not too familiar with OpenLDAP+gnutls) supports original Netscape-style ldaps (which is usually on port 636).
I can look at fixing this, but we need to decide if we are going to change to interpreting ldaps really as ldaps://, and how to distinguish ldap:// with STARTTLS.
Regards, Buchan