Re: LDAP, DMZ, private lan
Putting the authentication server, be it LDAP or RADIUS, on
the private newtork is most common from my experience. You
would only allow authentication sessions from a specified host
to the auth server through your inside firewall.
I suppose you could setup two-stage authentication using an
LDAP in the DMZ and then one on the private network. You
might not want to replicate in that case. A little more work
to manage, but that's always the case when making it more
secure.
jc
Thusly Thwacked By Christian Hammers:
> On Sun, May 20, 2001 at 11:23:04PM +0200, Torstein Tauno Svendsen wrote:
> > Well, if you place the LDAP server in the DMZ and use it for user
> > authentification on the internal network, you have a _huge_ problem if
> > the LDAP server machine gets compromised (i.e. evil cracker has
> > control over you accounts and passwords)
> if you place it on a dedicated host there's no much more ways to compromise
> this server as if you'd put it into the internal network.
> Of course, you should not put it onto the web server host!
>
> > I've been thinking about the same problem, and at our site we are
> > planning to put separate LDAP servers in the DMZ, and use replication
> > to push changes to them from a master server on the internal network.
> > (Just have to find a way of preventing it from pushing atributes we
> > don't wan't published in the DMZ (i.e. the user passwords and such -
> > the ldap-servers in the DMZ will be used for mail-routing, so the
> > passwords are not needed)
> You could write a little script that reads the replication log or runs minutely
> and just updates choosen attributes on the DMZ host, i.e. don't use the buildin
> replication feature at all.
>
> > Torstein
> bye,
>
> -christian-
Reply to:
- References:
- LDAP, DMZ, private lan
- From: Florian Friesdorf <42ff@gmx.net>
- Re: LDAP, DMZ, private lan
- From: "Jeremy T. Bouse" <undrgrid@Toons.UnderGrid.net>
- Re: LDAP, DMZ, private lan
- From: Christian Hammers <ch@westend.com>
- Re: LDAP, DMZ, private lan
- From: Torstein Tauno Svendsen <torstei@linpro.no>
- Re: LDAP, DMZ, private lan
- From: Christian Hammers <ch@westend.com>