Re: LDAP access through HTTP-CONNECT

[Michael Ströder <michael@stroeder.com>]

"Kurt D. Zeilenga" wrote:
> 
> Most HTTP-CONNECT proxies are able to restrict by IP address
> and/or port.  Some HTTP-CONNECT proxies are able to restrict
> sessions to TLS/SSL.  That is, they verify the first few
> octets are TLS/SSL exchanges.

<off-topic>
Food for thought:
pppd -> stunnel -c -> HTTP proxy -> stunnel (port 443) -> pppd
Et voila! Show me the proxy admin who permits HTTP connect but
prevents you from accessing SSL port 443.

Kids! Don't try this at work! ;-)
</off-topic>

> No.  A TCP proxy w/ HTTP-CONNECT support can be setup on a local
> workstation to proxy any TCP stream through an HTTP-CONNECT proxy.

It seems that I got you slightly wrong. But nevertheless it's a
fixed setup to a certain connection.

> Here the LDAP client connects to localhost:port which the TCP-proxy
> forwards to the HTTP proxy which forwards to the LDAP server.

Yes, but I'd like to implement a client which can use the proxy
without installing anything else. I already thought about
automatically starting a forwarding TCP proxy demon with support for
HTTP-CONNECT but this opens a
security hole to a local attacker because I can't imagine a generic
way to protect the local proxy demon from being accessed by another
process on this machine.

> Such tunneling is best left outside
> of specific protocols and protocol APIs and implemented in
> more general ways (such as TCP proxies).

I disagree. IMHO some sort of proxy support for LDAP connections
should be part of the client lib to make sure that the LDAP
connection end-point is really accessible solely for the LDAP
application which opened the connection.

Ciao, Michael.