From c59dba338ea2c71fa0422a8594928d3c1787469e Mon Sep 17 00:00:00 2001
From: Mauro Iorio <mio@bit4id.com>
Date: Sat, 18 Sep 2010 00:03:23 +0200
Subject: [PATCH] LDAP: Support for tunnelling queries through HTTP proxy

As of curl-7.21.1 tunnelling ldap queries through HTTP Proxies is not
supported. Actually if --proxytunnel command-line option (or equivalent
CURLOPT_HTTPPROXYTUNNEL) is used for ldap queries like
ldap://ldap.my.server.com/... You are unable to successfully execute the
query. In facts ldap_*_bind is executed directly against the ldap server
and proxy is totally ignored. This is true for both openLDAP and
Microsoft LDAP API.

Step to reproduce the error:
Just launch "curl --proxytunnel --proxy 192.168.1.1:8080
ldap://ldap.my.server.com/dc=... "

This fix adds an invocation to Curl_proxyCONNECT against the provided
proxy address and on successful "CONNECT" it tunnels ldap query to the
final ldap server through the HTTP proxy. As far as I know Microsoft
LDAP APIs don't permit tunnelling in any way so the patch provided is
for OpenLDAP only.  The patch has been developed against OpenLDAP 2.4.23
and has been tested with Microsoft ISA Server 2006 and works properly
with basic, digest and NTLM authentication.
---
 lib/openldap.c | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/lib/openldap.c b/lib/openldap.c
index 05628ab8e..445d30167 100644
--- a/lib/openldap.c
+++ b/lib/openldap.c
@@ -165,6 +165,7 @@ static CURLcode ldap_setup(struct connectdata *conn)
   li = calloc(1, sizeof(ldapconninfo));
   li->proto = proto;
   conn->proto.generic = li;
+  conn->bits.close = bool_false;
   /* TODO:
    * - provide option to choose SASL Binds instead of Simple
    */
@@ -198,6 +199,34 @@ static CURLcode ldap_connect(struct connectdata *conn, bool *done)
 
   ldap_set_option(li->ld, LDAP_OPT_PROTOCOL_VERSION, &proto);
 
+#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_PROXY)
+  if(conn->bits.tunnel_proxy && conn->bits.httpproxy) {
+    /* for LDAP over HTTP proxy */
+    struct HTTP http_proxy;
+    ldapconninfo *li_save;
+
+    /* BLOCKING */
+    /* We want "seamless" LDAP operations through HTTP proxy tunnel */
+
+    /* Curl_proxyCONNECT is based on a pointer to a struct HTTP at the member
+     * conn->proto.http; we want LDAP through HTTP and we have to change the
+     * member temporarily for connecting to the HTTP proxy. After
+     * Curl_proxyCONNECT we have to set back the member to the original struct
+     * LDAP pointer
+     */
+    li_save = data->state.proto.generic;
+    memset(&http_proxy, 0, sizeof(http_proxy));
+    data->state.proto.http = &http_proxy;
+    result = Curl_proxyCONNECT(conn, FIRSTSOCKET,
+                               conn->host.name, conn->remote_port);
+
+    data->state.proto.generic = li_save;
+
+    if(CURLE_OK != result)
+      return result;
+  }
+#endif /* !CURL_DISABLE_HTTP && !CURL_DISABLE_PROXY */
+
 #ifdef USE_SSL
   if (conn->protocol & PROT_SSL) {
     CURLcode res;