Matthew,
STARTTLS uses the normal ldap port rather than the ssl port. The initial handshake is done in clear text then the connection is 'upgraded' to ssl using the STARTTLS command within the original TCP connection.
I'm not sure how you tell Xymon to not use STARTTLS and instead use the SSL port. From a quick look at the surrounding code it doesn't look very obvious to me.
Actually, looking at the documentation I see: ...LDAP server that use the older non-standard method of tunnelling LDAP through SSL on port 636 will not work.
So it looks like the best you could do is check that the port is open and listening.
Brian
-----Original Message----- From: Epp, Matthew Mr CTR USA USA [mailto:matthew.epp at us.army.mil] Sent: Tuesday, 31 August 2010 3:25 AM To: xymon at xymon.com Subject: [xymon] bug in ldaptest.c
So it appears that there's a bug in part of the ldap testing code.
bbnet/ldaptest.c (lines 85-86) dbgprintf("Forcing port %d for ldaps with STARTTLS\n", LDAP_PORT ); ludp->lud_port = LDAP_PORT;
Even if you're attempting an ldaps test with a specified port, the test is still only performing a 389 port test. I changed LDAP_PORT to LDAPS_PORT and recompiled, then tried an ldaps test again, however now it just doesn't appear to connect.
2010-08-27 16:06:45 Opening file /home/xymon/server/etc/bb-hosts 2010-08-27 16:06:45 Adding hostname 'x.x.x.x' to resolver queue 2010-08-27 16:06:45 Processing 1 DNS lookups with ARES 2010-08-27 16:06:45 Got DNS result for host x.x.x.x : 10.x.x.x 2010-08-27 16:06:45 Finished ARES queue after loop 2 2010-08-27 16:06:45 Concurrency evaluation: rlim_cur=1024, FD_SETSIZE=0, absmax=1024, initial=1014 2010-08-27 16:06:45 About to do 0 TCP tests running 256 in parallel, abs.max 1014 2010-08-27 16:06:45 TCP tests completed normally 2010-08-27 16:06:45 Forcing port 636 for ldaps with STARTTLS 2010-08-27 16:06:45 Initiating LDAP session for host x.x.x.x port 636 2010-08-27 16:06:45 Attempting to select LDAPv3 2010-08-27 16:06:45 Trying to enable TLS for session 2010-08-27 16:06:55 ldap_start_tls failed URL : ldaps://x.x.x.x/ou=people,dc=x,dc=x,dc=x?dn?sub?uid=healthcheck Time spent : 0.00 LDAP output: Can't contact LDAP server
The server I'm running the test against is Sun Directory 6.2, so should this test work, or should I give up and just use an external script for my ldaps testing?
To unsubscribe from the xymon list, send an e-mail to xymon-unsubscribe at xymon.com
This message is intended for the addressee named and may contain privileged information or confidential information or both. If you are not the intended recipient please delete it and notify the sender.