SOLUTION Re: LDAP use outbound through a firewall

[Bob Van Cleef <vancleef @ microunity . com>]

My original question:

> > I have not been able to find any information on accessing LDAP
> > directories such as 411 from an application, such as Netscape
> > Communicator, when you live behind a firewall.
> > 
> > Is there a way to use our Apache proxy server to forward ldap
> > requests?

Thanks for all of your responses.  What worked for me was using the
Firewall Tool Kit's (FWTK) plug-gw.  Basically, reconfigure Netscape
to connect to our proxy server on specific ports to gain access to the
various directories.  The user needs to change their directory definitions
to make this work.

----------------------------------------------------------------------------
Netscape:

Edit-->Preferences-->Mail & Groups-->Directory

Select a directory entry and press EDIT:
        Change the LDAP server to your proxy server.
        Change the port number to match the proxy server's port list. (below)
Example:
        Description:    Four11 Directory
        LDAP Server:    proxy.domain.com
        Search Root:    (varies -- leave unchanged)
        Port Number:    3891    (see /etc/services below)       

----------------------------------------------------------------------------

On the Firewall:

/etc/services: define a port for each Directory service

# random holes in the firewall to support LDAP access
ldap            389/tcp         # default LDAP port
ldap01          3891/tcp        # LDAP port for Four11 Directory
ldap02          3892/tcp        # LDAP port for InfoSpace Directory
ldap03          3893/tcp        # LDAP port for WhoWhere Directory
ldap04          3894/tcp        # LDAP port for Bigfoot Directory
ldap05          3895/tcp        # LDAP port for Switchboard Directory

/etc/inetd.conf: define actions for the individual ports

# random holes in the firewall for LDAP support 
ldap01  stream  tcp  nowait  root    /usr/local/etc/plug-gw  plug-gw ldap01
ldap02  stream  tcp  nowait  root    /usr/local/etc/plug-gw  plug-gw ldap02
ldap03  stream  tcp  nowait  root    /usr/local/etc/plug-gw  plug-gw ldap03
ldap04  stream  tcp  nowait  root    /usr/local/etc/plug-gw  plug-gw ldap04
ldap05  stream  tcp  nowait  root    /usr/local/etc/plug-gw  plug-gw ldap05

/usr/local/etc/netperm-table: configure plug-gw

plug-gw:  port ldap01 192.168.10.* -plug-to ldap.four11.com -port ldap
plug-gw:  port ldap02 192.168.10.* -plug-to ldap.infospace.com -port ldap
plug-gw:  port ldap03 192.168.10.* -plug-to ldap.whowhere.com -port ldap
plug-gw:  port ldap04 192.168.10.* -plug-to ldap.bigfoot.com -port ldap
plug-gw:  port ldap05 192.168.10.* -plug-to ldap.switchboard.com -port ldap
                      ^^^^^^^^^^^^  change to match your domain's IP numbers

The plug-gw is part of the firewall tool kit available from:
        http://www.tis.com/docs/products/fwtk/index.html

----------------------------------------------------------------------------
Note:
        This did not work for InfoSpace.  I got the error message:
        "DSA is unwilling to perform."

Special Thanks to:
         "Andreas Berger" <aberger @
 darmstadt .
 gmd .
 de>
         "Birkeland Hal" <birkeland_hal @
 bah .
 com>
         "Wladyslaw A. Russocki" <russocki @
 credintrans .
 fr>

Bob
><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>
Bob Van Cleef, Member of Technical Staff         (408) 734-8100
MicroUnity Systems Engineering, Inc.         FAX (408) 734-8136
475 Potrero Ave., Sunnyvale, CA 94086   vancleef @
 microunity .
 com