LDAP passthru server...

jfroebe has asked for the wisdom of the Perl Monks concerning the following question:

Hi again, :)

I'm trying to make head or tails of Net::LDAP for the creation of a passthru gateway to an LDAP server. I'm kinda stuck with my brain in neutral but here it goes:

I have a 3rd party application that authenticates against an LDAP server. The application does not support SSL or any sort of encrypted communications to the LDAP server. The perl script would act as a passthru gateway but would capture the ldap query and responses.

My goal is the prove to the vendor that supporting SSL is a good thing.

I'm assuming I need to start off with Net::LDAP::Control but I'm not certain. Am I completely off my rocker and totally caffeine deprived or am I on the right track?

UPDATE: After extensive googling, I ran across LDAP-interop OpenLDAP Perl Backend which describes a perl based LDAP proxy. hmmm. I'm starting to think I could just listen on a port and forward the data stream verbatim to the LDAP server and to a file. I'll post the code in the code section for the ldap passthru gateway (used for diagnostic purposes).

Jason L. Froebe

Team Sybase member

No one has seen what you have seen, and until that happens, we're all going to think that you're nuts. - Jack O'Neil, Stargate SG-1

Comment on LDAP passthru server...

Replies are listed 'Best First'.
Re: LDAP passthru server... by ghenry (Vicar) on Jun 01, 2005 at 21:33 UTC
Hi Jason, I'm starting to think I could just listen on a port and forward the data stream verbatim to the LDAP server and to a file. I think this is the best thing to do, i.e. use stunnel or SSH to create a secure tunnel from the 3rd party application machine, to your LDAP box on port 389. Change the address on the 3rd parties machine to point to the port you have set the tunnel to listen on, on that machine, e.g. 127.0.0.1:333. e.g. `ssh -L 333:ldap_server_ip:389 root@ldap_server_ip` For the Perl backend stuff take a look at The OpenLDAP Perl Backend. HTH. Walking the road to enlightenment... I found a penguin and a camel on the way..... Fancy a yourname@perl.me.uk? Just ask!!!	[reply] [d/l]
Re^2: LDAP passthru server... by jfroebe (Parson) on Jun 01, 2005 at 22:00 UTC
Hi Hmm.. the problem with the ssh method is that it doesn't scale well and does introduce another point of failure. It would be a passable workaround for a low load server but not in a production environment. I'm working on creating an LDAP proxy that also dumps to STDOUT. Jason L. Froebe Team Sybase member No one has seen what you have seen, and until that happens, we're all going to think that you're nuts. - Jack O'Neil, Stargate SG-1	[reply]
Re^3: LDAP passthru server... by ghenry (Vicar) on Jun 01, 2005 at 22:06 UTC
Where would the proxy sit? You still need to encrypt traffic somehow. If you could put the proxy on the client app machine, the proxy could have a TLS/SASL link to your main LDAP box. But again, another SPOF, and more load on that box. Walking the road to enlightenment... I found a penguin and a camel on the way..... Fancy a yourname@perl.me.uk? Just ask!!!	[reply]
Re^4: LDAP passthru server... by jfroebe (Parson) on Jun 01, 2005 at 23:45 UTC
Re^3: LDAP passthru server... by ghenry (Vicar) on Jun 01, 2005 at 22:15 UTC
I think we should move this discussion on to the OpenLDAP/LDAP-interop lists, as it has been discussed there before and is getting a bit OT perl coding ;-) Thanks. Walking the road to enlightenment... I found a penguin and a camel on the way..... Fancy a yourname@perl.me.uk? Just ask!!!	[reply]
Re^4: LDAP passthru server... by jfroebe (Parson) on Jun 01, 2005 at 23:53 UTC
Re: LDAP passthru server... by Fletch (Bishop) on Jun 01, 2005 at 19:51 UTC
Not to sidestep the perl question, but if you just want to show them what sorts of goodies are visible out on the naked wire you could always use Ethereal to snoop the traffic. I'm fairly sure it groks LDAP enough to provide a suitably scary decode of the traffic. -- We're looking for people in ATL	[reply]
Re^2: LDAP passthru server... by jfroebe (Parson) on Jun 01, 2005 at 19:54 UTC
Hi, :) That would work except that running a sniffer is a definite no-no at this site. My only real option is the pass-thru gateway approach unfortunately. Jason L. Froebe Team Sybase member No one has seen what you have seen, and until that happens, we're all going to think that you're nuts. - Jack O'Neil, Stargate SG-1	[reply]