CHANGES | 25 +++++++++++++++++++++++++
lib/openldap.c | 29 +++++++++++++++++++++++++++++
2 files changed, 54 insertions(+), 0 deletions(-)
diff --git a/CHANGES b/CHANGES
index 765c8ff..661c44f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -24,6 +24,31 @@ Kamil Dudka (29 Oct 2010)
Bug: https://bugzilla.redhat.com/643656
Reported by: Pasi Karkkainen, Patrick Monnerat
+Daniel Stenberg (18 Sep 2010)
+- [Mauro Iorio brought this change]
+
+ LDAP: Support for tunnelling queries through HTTP proxy
+
+ As of curl-7.21.1 tunnelling ldap queries through HTTP Proxies is not
+ supported. Actually if --proxytunnel command-line option (or equivalent
+ CURLOPT_HTTPPROXYTUNNEL) is used for ldap queries like
+ ldap://ldap.my.server.com/... You are unable to successfully execute the
+ query. In facts ldap_*_bind is executed directly against the ldap server
+ and proxy is totally ignored. This is true for both openLDAP and
+ Microsoft LDAP API.
+
+ Step to reproduce the error:
+ Just launch "curl --proxytunnel --proxy 192.168.1.1:8080
+ ldap://ldap.my.server.com/dc=... "
+
+ This fix adds an invocation to Curl_proxyCONNECT against the provided
+ proxy address and on successful "CONNECT" it tunnels ldap query to the
+ final ldap server through the HTTP proxy. As far as I know Microsoft
+ LDAP APIs don't permit tunnelling in any way so the patch provided is
+ for OpenLDAP only. The patch has been developed against OpenLDAP 2.4.23
+ and has been tested with Microsoft ISA Server 2006 and works properly
+ with basic, digest and NTLM authentication.
+
Daniel Stenberg (16 Aug 2010)
- negotiation: Wrong proxy authorization
diff --git a/lib/openldap.c b/lib/openldap.c
index 05628ab..5f70919 100644
--- a/lib/openldap.c
+++ b/lib/openldap.c
@@ -165,6 +165,7 @@ static CURLcode ldap_setup(struct connectdata *conn)
li = calloc(1, sizeof(ldapconninfo));
li->proto = proto;
conn->proto.generic = li;
+ conn->bits.close = FALSE;
/* TODO:
* - provide option to choose SASL Binds instead of Simple
*/
@@ -198,6 +199,34 @@ static CURLcode ldap_connect(struct connectdata *conn, bool *done)
ldap_set_option(li->ld, LDAP_OPT_PROTOCOL_VERSION, &proto);
+#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_PROXY)
+ if(conn->bits.tunnel_proxy && conn->bits.httpproxy) {
+ /* for LDAP over HTTP proxy */
+ struct HTTP http_proxy;
+ ldapconninfo *li_save;
+
+ /* BLOCKING */
+ /* We want "seamless" LDAP operations through HTTP proxy tunnel */
+
+ /* Curl_proxyCONNECT is based on a pointer to a struct HTTP at the member
+ * conn->proto.http; we want LDAP through HTTP and we have to change the
+ * member temporarily for connecting to the HTTP proxy. After
+ * Curl_proxyCONNECT we have to set back the member to the original struct
+ * LDAP pointer
+ */
+ li_save = data->state.proto.generic;
+ memset(&http_proxy, 0, sizeof(http_proxy));
+ data->state.proto.http = &http_proxy;
+ rc = Curl_proxyCONNECT(conn, FIRSTSOCKET,
+ conn->host.name, conn->remote_port);
+
+ data->state.proto.generic = li_save;
+
+ if(CURLE_OK != rc)
+ return rc;
+ }
+#endif /* !CURL_DISABLE_HTTP && !CURL_DISABLE_PROXY */
+
#ifdef USE_SSL
if (conn->protocol & PROT_SSL) {
CURLcode res;