[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP access through HTTP-CONNECT

To: michael@stroeder.com
Subject: Re: LDAP access through HTTP-CONNECT
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sat, 02 Jun 2001 08:39:43 -0700
Cc: openldap-software <openldap-software@OpenLDAP.org>
In-reply-to: <3B181FEB.91D6B774@stroeder.com>
References: <5.1.0.14.0.20010601092059.034b4390@127.0.0.1>

At 04:06 PM 6/1/2001, Michael Ströder wrote:
>"Kurt D. Zeilenga" wrote:
>> 
>> At 10:32 AM 5/31/01, Michael Ströder wrote:
>> >Sometimes it's handy for a LDAP client to access a LDAP server
>> >through a firewall's HTTP proxy.
>> 
>> I would hope that if the local security policy is to allow
>> connections to external directory services, that the local
>> administrator would implement that policy is a more efficient
>> manner than requiring use of a HTTP proxy.
>
>Although I already was in the role of a firewall admin I have to
>admit that I did not think from this point of view while writing my
>posting. Well, if a HTTP proxy allows HTTP-CONNECT e.g. for HTTP
>over SSL the firewall can be easily circumvented anyway without the
>admin noticing it at all.

Most HTTP-CONNECT proxies are able to restrict by IP address
and/or port.  Some HTTP-CONNECT proxies are able to restrict
sessions to TLS/SSL.  That is, they verify the first few
octets are TLS/SSL exchanges.

>> >This can be achieved by piping a
>> >TCP connection through a channel provided by the HTTP proxy. This
>> >pipe is requested with HTTP-CONNECT method.
>> 
>> There are numerous TCP proxy tools which support HTTP-CONNECT.
>
>I did not think about the firewall setup. I'm thinking from the LDAP
>client side. A TCP proxy has to be set up at the firewall and does a
>simple TCP connection mapping to a fixed target address:port.

No.  A TCP proxy w/ HTTP-CONNECT support can be setup on a local
workstation to proxy any TCP stream through an HTTP-CONNECT proxy.
Here the LDAP client connects to localhost:port which the TCP-proxy
forwards to the HTTP proxy which forwards to the LDAP server.

>The nice thing about a HTTP-CONNECT is that most times you don't
>have to bother the firewall admin ;-) and that you can open
>(LDAP-)connections to arbitrary targets.

Yes, given a path though one can tunnel...   Most most every
protocol which is allowed through, there is a general purpose
tool available for tunnelling through...  from is IP over DNS
to SSH to HTTP-CONNECT.   Such tunneling is best left outside
of specific protocols and protocol APIs and implemented in
more general ways (such as TCP proxies).

Kurt

Follow-Ups:
- Re: LDAP access through HTTP-CONNECT
  - From: Michael Ströder <michael@stroeder.com>

References:
- Re: LDAP access through HTTP-CONNECT
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: LDAP access through HTTP-CONNECT
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Undefined attribute type...
Next by Date: Re: LDAP access through HTTP-CONNECT
Index(es):
- Chronological
- Thread