Re: LDAP access through HTTP-CONNECT

[Michael Ströder <michael@stroeder.com>]

"Kurt D. Zeilenga" wrote:
> 
> At 10:32 AM 5/31/01, Michael Ströder wrote:
> >Sometimes it's handy for a LDAP client to access a LDAP server
> >through a firewall's HTTP proxy.
> 
> I would hope that if the local security policy is to allow
> connections to external directory services, that the local
> administrator would implement that policy is a more efficient
> manner than requiring use of a HTTP proxy.

Although I already was in the role of a firewall admin I have to
admit that I did not think from this point of view while writing my
posting. Well, if a HTTP proxy allows HTTP-CONNECT e.g. for HTTP
over SSL the firewall can be easily circumvented anyway without the
admin noticing it at all.

> >This can be achieved by piping a
> >TCP connection through a channel provided by the HTTP proxy. This
> >pipe is requested with HTTP-CONNECT method.
> 
> There are numerous TCP proxy tools which support HTTP-CONNECT.

I did not think about the firewall setup. I'm thinking from the LDAP
client side. A TCP proxy has to be set up at the firewall and does a
simple TCP connection mapping to a fixed target address:port.

The nice thing about a HTTP-CONNECT is that most times you don't
have to bother the firewall admin ;-) and that you can open
(LDAP-)connections to arbitrary targets.

> >Is or will this be possible with OpenLDAP 2 libs?
> 
> No.
> 
> >Any other LDAP libs capable of this?
> 
> Not that I am aware of.

It's a pity...

Ciao, Michael.