Re: LDAP access through HTTP-CONNECT

[Stig Venaas <venaas@OpenLDAP.org>]

On Sun, Jun 03, 2001 at 10:53:14AM +0200, Michael Ströder wrote:
> "Kurt D. Zeilenga" wrote:
> Yes, but I'd like to implement a client which can use the proxy
> without installing anything else. I already thought about
> automatically starting a forwarding TCP proxy demon with support for
> HTTP-CONNECT but this opens a
> security hole to a local attacker because I can't imagine a generic
> way to protect the local proxy demon from being accessed by another
> process on this machine.

There might be ways to check the uid of the process for instance. You
could have some sort of authentication, but I'm not sure if I get this,
why do you care if some other process uses it? Someone else could set
up a proxy of their own.

> 
> > Such tunneling is best left outside
> > of specific protocols and protocol APIs and implemented in
> > more general ways (such as TCP proxies).
> 
> I disagree. IMHO some sort of proxy support for LDAP connections

I agree with Kurt

> should be part of the client lib to make sure that the LDAP
> connection end-point is really accessible solely for the LDAP
> application which opened the connection.

Don't think I understand this, or if I do, I don't understand how it
relates. If you are thinking of another aplication/process in some way
using the same TCP connection, then my answer is that the server
shouldn't need to care. The client operating system should take care
of this. If you have a proxy you need to trust the proxy anyway. Perhaps
TLS can be of help?

Stig