Hi,
On Thu, Jun 16, 2011 at 02:48:02PM -0400, Walck, Christopher wrote:
> Hi all,
>
> Does anyone know where ' ldap-check' derives the bind DN?
>
> Looking at a packet capture, I see the check is sending the bind DN of "<ROOT>". I believe this is the reason that the check is failing for me.
The request is hard-coded in include/common/defaults.h :
#define DEF_LDAP_CHECK_REQ "\x30\x0c\x02\x01\x01\x60\x07\x02\x01\x03\x04\x00\x80\x00"
As I'm not a native LDAP speaker, I can't tell you what it does exactly, however the commit says this :
commit b76b44c6fed8a7ba6f0f565dd72a9cb77aaeca7c Author: Gabor Lekeny <gabor.lekeny#gmail.com> Date: Wed Sep 29 18:17:05 2010 +0200
[MINOR] checks: add support for LDAPv3 health checks
This patch provides a new "option ldap-check" statement to enable server health checks based on LDAPv3 bind requests.
and the doc says this :
It is possible to test that the server correctly talks LDAPv3 instead of just testing that it accepts the TCP connection. When this option is set, an LDAPv3 anonymous simple bind message is sent to the server, and the response is analyzed to find an LDAPv3 bind response message.
The server is considered valid only when the LDAP response contains success resultCode (http://tools.ietf.org/html/rfc4511#section-4.1.9).
So I think the DN is not mandatory for an anonymous bind request. If you manage to make the check work by slightly modifying it, it might be worth adding a configurable parameter.
Alternatively, maybe the response you get from the server could be indicative of a working LDAP service which simply refuses the bind request, so we could also relax the response check.
I'm CCing Gabor who authored the patch, maybe he has more insightful ideas on the subject.
Regards,
Willy
Received on 2011/06/16 21:19
This archive was generated by hypermail 2.2.0 : 2011/06/16 21:30 CEST