[Date Prev][Date Next] [Chronological] [Thread] [Top]

NAT & LDAP interactions...




Folks

Mark Wilcox & I have been discussing the issues in using
openldap/umich/nscape code for BER encoding/decoding to enable
NAT routers to do fixups of embedded ip addresses in LDAP message
streams.

Attached are our discussions, would you be able to comment
on it or suggest any alternative approaches to solve this problem.

Thanks much in advance.
-Murali
muraliv@cisco.com

> > 
> > Hi,
> > Yes I see your point. I've run into the same problem with a project I've been tackling
>> > (adding a C backend to the currently pure Perl Convert::Ber Perl module).
>> > 
>> > To my rather layman's understanding of Ber (while I do know a lot about LDAP, that
>> > knowledge is concentrated more on how to use LDAP and not so much at the protocol
>> > level), a vanilla ber function or API shouldn't be *that* difficult to write.
>> > 
>> > However, maybe there's another way of tackling this and that's to make a sort of proxy
>> > LDAP server. You could take the openLDAP server code and then modify the backend so that
>> > the base LDAP server code decodes it for you, then you do whatever you need to do and
>> > then you use the LDAP client apis, to reconstruct the message & resend it on. (though
>> > how to do it quickly enough for NAT, I don't know. But that's why y'all make the big
>> > bucks ;).
>> > 
>> > If you do decide to take on writing a generic BER api, I'll be happy to give it a test,
>> > if you can release it outside of Cisco.
>> > 
>> > BTW Have you tried asking this question on the open-ldap general list? There's a lot
>> > more talk like this going on there than on any of the netscape's newsgroups.
>> > 
>> > later,
>> > 
>> > Mark
>> > 
>> > 
>> > Murali Venkateshaiah wrote:
>> > 
>> > > Hi
>> > >
>> > > Thanks for taking the time to reply. I have been infact looking
>> > > at nscp/openldap sources for ber functions. Its been quite
>> > > hard to understand whats going on there. Also, the LDAPMessage
>> > > structs seems to be quite hard wired with BER funcs.
>> > > I might have to decouple that and then use the ber functions
>> > > standalone in my code.
>> > >
>> > > As for searching/replacing, your suggestion makes it easy, but
>> > > if the embedded addess OCTET string has to be replaced,
>> > > the length fields need to be changed in many places in the
>> > > packet, which means I'll have to decode the entire packet.
>> > >
>> > > What I was hoping was to be able to give a particular BER function,
>> > > the datapacket, which will return me a LDAPMod struct, with decoded
>> > > values which I can search for easily. Once the replacement has
>> > > been done, I need a Ber function to encode the LDAPMod to a packet
>> > > and gime a new packet. For some reason, I am unable to figure
>> > > out that as easily :-)
>> > >
>> > > Any pointers will defnitely help. Thanks so much in advance.
>> > >
>> > > -Murali
>> > > muraliv@cisco.com
>> > >
>> > > >
>> > > > Hi,
>> > > > I saw your post on the newsgroup, sorry I haven't had a chance to reply sooner.
>> > > >
>> > > > I'm about as lost as you down at the protocol level. I've been devling into some
>> > > > BER stuff lately as part of a future project, but have never actually done
>> > > > anything "for real".
>> > > >
>> > > > However, there are BER routines in the LDAP API, both in the Mozilla/Netscape &
>> > > > the openLDAP (which is the active version of the ol' uMich code). Also LDAP uses a
>> > > > very restrictive part of the BER (e.g. they use only certain parts, there's a
>> > > > maximum length on each element).
>> > > >
>> > > > So I don't think you'll need to write your own routines.
>> > > >
>> > > > There's not much documentation, however. The openLDAP site (www.openldap.org) has
>> > > > a webified version of the lber.h manpage. It looks like that you should be able to
>> > > > use ber_scanf() to unencode a  BER element and ber_printf() to encode a BER
>> > > > element (note I'm going off memory so the actual names may vary ;). You can of
>> > > > course look at the Mozilla and openLDAP source code to see how they encode/decode.
>> > > >
>> > > > Though if you're looking for  a particular BER encoded value, it might be easier
>> > > > (and quicker) to BER encode the client's IP address, then search the clients
>> > > > messages for matching value and replace that value, than decoding all of the
>> > > > values & searching them.
>> > > >
>> > > > Mark
>> > > > Murali Venkateshaiah wrote:
>> > > >
>> > > > > Hi
>> > > > >
>> > > > > Since I have seen your responses often, I decided
>> > > > > to send you email directly regarding NAT & LDAP
>> > > > > interaction.
>> > > > >
>> > > > > NAT - popularly stands for Network Address Translation
>> > > > > It sniffs ip packets, translate header information
>> > > > > as well as any embedded ip address information and
>> > > > > reconstructs the packets.
>> > > > >
>> > > > > For NAT & LDAP to function transparently in a scenario
>> > > > > such as below.
>> > > > >
>> > > > > ldapclient1
>> > > > > ldapclient2----PrivateNet----NAT router----PublicNet----Directory/ldap clients
>> > > > > ldapclient3
>> > > > >
>> > > > > NAT would have to understand the LDAP messages, and translate
>> > > > > as necessary client registration messages. For Eg: An ADD message
>> > > > > containing ldapclient1's embedded ip address attribute should be
>> > > > > translated to a public address as it gets out of a NAT router.
>> > > > > So I am trying to understand all possible issues I would have
>> > > > > to take care of to make this happen and understand some
>> > > > > LDAP nuances. Specifically, some questions are as follows:
>> > > > > 1. NAT needs to parse a message. Does the Netscape SDK provide
>> > > > >    apis to get attributes and their values to do the parsing of
>> > > > >    BER messages? Can I use them fairly easily?
>> > > > > 2. I also would  need to re-write the message, I need
>> > > > >    to embed the new IP address info. into the same packet, so I would
>> > > > >    need api's to replace/encode the message again?
>> > > > > 3. Should I develop my own BER parsing schemes if any?
>> > > > >
>> > > > > Any suggestions? Thanks much in advance.
>> > > > > -Murali
>> > > > > muraliv@cisco.com