[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP access through HTTP-CONNECT

At 04:06 PM 6/1/2001, Michael Ströder wrote:
>"Kurt D. Zeilenga" wrote:
>> At 10:32 AM 5/31/01, Michael Ströder wrote:
>> >Sometimes it's handy for a LDAP client to access a LDAP server
>> >through a firewall's HTTP proxy.
>> I would hope that if the local security policy is to allow
>> connections to external directory services, that the local
>> administrator would implement that policy is a more efficient
>> manner than requiring use of a HTTP proxy.
>Although I already was in the role of a firewall admin I have to
>admit that I did not think from this point of view while writing my
>posting. Well, if a HTTP proxy allows HTTP-CONNECT e.g. for HTTP
>over SSL the firewall can be easily circumvented anyway without the
>admin noticing it at all.

Most HTTP-CONNECT proxies are able to restrict by IP address
and/or port.  Some HTTP-CONNECT proxies are able to restrict
sessions to TLS/SSL.  That is, they verify the first few
octets are TLS/SSL exchanges.

>> >This can be achieved by piping a
>> >TCP connection through a channel provided by the HTTP proxy. This
>> >pipe is requested with HTTP-CONNECT method.
>> There are numerous TCP proxy tools which support HTTP-CONNECT.
>I did not think about the firewall setup. I'm thinking from the LDAP
>client side. A TCP proxy has to be set up at the firewall and does a
>simple TCP connection mapping to a fixed target address:port.

No.  A TCP proxy w/ HTTP-CONNECT support can be setup on a local
workstation to proxy any TCP stream through an HTTP-CONNECT proxy.
Here the LDAP client connects to localhost:port which the TCP-proxy
forwards to the HTTP proxy which forwards to the LDAP server.

>The nice thing about a HTTP-CONNECT is that most times you don't
>have to bother the firewall admin ;-) and that you can open
>(LDAP-)connections to arbitrary targets.

Yes, given a path though one can tunnel...   Most most every
protocol which is allowed through, there is a general purpose
tool available for tunnelling through...  from is IP over DNS
to SSH to HTTP-CONNECT.   Such tunneling is best left outside
of specific protocols and protocol APIs and implemented in
more general ways (such as TCP proxies).