[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ldap proxy
A couple weeks ago, I posted a message regarding ldap proxy problem.
I got a few replies, mainly from some ldap vendors, pointing me to
their ldap proxy products. After I study the product literatures,
I realized that none of them satisfy my requirements. Let me recap
my original problem: how can I set up a proxy so that ldap clients
inside firewall can connect to outside ldap servers via the proxy.
I guess I need to firstly throw in a few concepts of proxy in general.
A proxy is something that allows clients inside firewall to connect
out. A reverse proxy is something that allows client outside firewall
to connect in. A proxy is usually regarded as application level firewall.
There are two categories: 1) application specific proxies such as
HTTP proxy, telnet proxy, ftp proxy; 2) general purpose proxy such as
SOCKS.
What I found from the existing proxy products:
1) most of of proxy products are reverse proxies, so it's not surprising
that they can offer features load balacing because the scope of
the real ldap servers are well known beforehand. However, they can't
solve my problem.
2) some vendors confused the concepts of proxy and reverse proxy
3) some proxy products are not really proxies, they actually function
as gateways to both LDAP and X.500 servers in the back.
In general, in an application specific proxy, the client needs to be
proxy aware, for example, browsers are aware of HTTP proxy protocol
which is specified together in the HTTP doc. So when there is HTTP
proxy set up, and the browser needs to connect to www.foo.com, it connects
to the proxy and then tell the proxy "connect to www.foo.com and forward
my get/post commands".
So far, there is nothing similar in the LDAP spec. I am working on an
internet draft to address this issue. The basic idea is to take the
advantage of LDAPv3's Control extension. Anybody interested, especially
from the vendors, interested in pursuing this together?
Thanks
--Nick Zhang