directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <>
Subject Re: Intercepting LDAP request
Date Thu, 18 Sep 2008 13:32:08 GMT
Rohit Gupta (rohitgu) wrote:
> Hi,
> I am currently working on a project where I am required to intercept an
> authentication request being generated for an LDAP server.
> Actually, one of the web servers authenticates is users using an LDAP
> server, but the server is now sitting behind a firewall and cannot be
> called directly. I am not allowed to touch the box containing the web
> server, its a black box.
> So, I was wondering if its possible to intercept all the request being
> sent by the web server to the LDAP server ,using some portions of code
> from the Apache directory, and the redirect these requests to our LDAP
> server and send the response back to the Web server in a format it can
> understand.
> It will be greatly appreciated if anyone can direct me as to how I can
> solve this problem.
> Thanks,
> Rohit

I hope that your authentication is done through LDAPS or using TLS ... 
In this case, you won't be able to intercept the request and forward it 
to the server behind your firewall...

It would make sense that you ask the network guys to open a connection 
between your web server to the ldap server. Any other solution will be a 
big security breach !

I understand that it won't help you a lot...

Now, assuming that the communication between your web app and your ldap 
browser can be intercepted (pretty easy) and decoded (no SSL, no TLS), 
then there is nothing forbiding you to write your own authenticator. 
What you will have to do is to decode the incoming requests, using the 
decoder we have in shared-ldap. Here is an example of a BindRequest 
being decoded (the BindRequest PDU is supposed to be stored in a ButeBuffer)

        // Allocate a LdapMessage Container
        IAsn1Container ldapMessageContainer = new LdapMessageContainer();

        // Decode the BindRequest PDU
            ldapDecoder.decode( stream, ldapMessageContainer );
        catch ( DecoderException de )
            // Handle the error here...

        // Now get the Java object
        LdapMessage message = ( ( LdapMessageContainer ) 
ldapMessageContainer ).getLdapMessage();
        BindRequest br = message.getBindRequest();

You can check in the shared-ldap codec tests, you have plenty of samples 
on ho to decode requests. Encoding a request (or a response) is pretty 
much the same :

            ByteBuffer bb = message.encode( null );
        catch ( EncoderException ee )
            // Handle the error here

The message is an instance of the LdapMessage class, which contains any 
kind of possible request or response. This is what you should send back 
to your web server.

Hope it helps.

cordialement, regards,
Emmanuel L├ęcharny

View raw message