Rohit Gupta (rohitgu) wrote:
Hi,
I am currently working on a project where I am required to intercept an
authentication request being generated for an LDAP server.
Actually, one of the web servers authenticates is users using an LDAP
server, but the server is now sitting behind a firewall and cannot be
called directly. I am not allowed to touch the box containing the web
server, its a black box.
So, I was wondering if its possible to intercept all the request being
sent by the web server to the LDAP server ,using some portions of code
from the Apache directory, and the redirect these requests to our LDAP
server and send the response back to the Web server in a format it can
understand.
It will be greatly appreciated if anyone can direct me as to how I can
solve this problem.
Thanks,
Rohit
Hi,
I hope that your authentication is done through LDAPS or using TLS ...
In this case, you won't be able to intercept the request and forward it
to the server behind your firewall...
It would make sense that you ask the network guys to open a connection
between your web server to the ldap server. Any other solution will be a
big security breach !
I understand that it won't help you a lot...
Now, assuming that the communication between your web app and your ldap
browser can be intercepted (pretty easy) and decoded (no SSL, no TLS),
then there is nothing forbiding you to write your own authenticator.
What you will have to do is to decode the incoming requests, using the
decoder we have in shared-ldap. Here is an example of a BindRequest
being decoded (the BindRequest PDU is supposed to be stored in a ButeBuffer)
...
// Allocate a LdapMessage Container
IAsn1Container ldapMessageContainer = new LdapMessageContainer();
// Decode the BindRequest PDU
try
{
ldapDecoder.decode( stream, ldapMessageContainer );
}
catch ( DecoderException de )
{
de.printStackTrace();
// Handle the error here...
}
// Now get the Java object
LdapMessage message = ( ( LdapMessageContainer )
ldapMessageContainer ).getLdapMessage();
BindRequest br = message.getBindRequest();
...
You can check in the shared-ldap codec tests, you have plenty of samples
on ho to decode requests. Encoding a request (or a response) is pretty
much the same :
try
{
ByteBuffer bb = message.encode( null );
}
catch ( EncoderException ee )
{
ee.printStackTrace();
// Handle the error here
}
The message is an instance of the LdapMessage class, which contains any
kind of possible request or response. This is what you should send back
to your web server.
Hope it helps.
--
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org
