[Pkg-nagios-devel] Bug#730471: Bug#730471: check_ldaps actually tries STARTTLS

Jan Wagner waja at cyconet.org
Sun Dec 1 13:10:00 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

tags 730471 + wontfix
thanks

Dear Daniel,

thanks for taking time to report this issue.

Am 25.11.13 12:24, schrieb Daniel Pocock:
> Consider the following:
> 
> # /usr/lib/nagios/plugins/check_ldaps -H ldap -b dc=example,dc=org 
> Could not init startTLS at port 389!
> 
> It is actually trying to do STARTTLS on port 389 - that is not the
> same as ldaps
> 
> The name "check_ldaps" implies ldaps://
> 
> ldaps is not STARTTLS,
> 
> - ldaps is an SSL encrypted session from the beginning (STARTTLS
> implies enabled encryption after some initial LDAP handshaking)
> 
> - it should default to port 636

This is all true, but the problem is, changing it to the correct
behavior will break all the existing configurations, even if they are
worked around it (via check_ldaps).
The probable upstream fix (when breaking backward compatibility) for
this would be to remove check_ldaps completly, as check_ldap supports
all of this:

" -T [--starttls]
    use starttls mechanism introduced in protocol version 3
 -S [--ssl]
    use ldaps (ldap v2 ssl method). this also sets the default port to
636"

I guess I will adjust /etc/nagios-plugins/config/ldap.cfg to use
check_ldap instead of check_ldaps soon.

Warm wished, Jan.
- -- 
Never write mail to <waja at spamfalle.info>, you have been warned!
- -----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GIT d-- s+: a C+++ UL++++ P+ L+++ E--- W+++ N+++ o++ K++ w--- O M V-
PS PE Y++
PGP++ t-- 5 X R tv- b+ DI D+ G++ e++ h---- r+++ y++++
- ------END GEEK CODE BLOCK------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAlKbNSgACgkQ9u6Dud+QFyTK0ACfY7WbPy0vty7wXE+gZC8es0cX
N30AoIvl6MREgoqzWGdtABkfuRisKCvh
=+g81
-----END PGP SIGNATURE-----



More information about the Pkg-nagios-devel mailing list