Re: LDAP, DMZ, private lan

[Jeff <jcoppock1@home.com>]

   Putting the authentication server, be it LDAP or RADIUS, on
   the private newtork is most common from my experience.  You
   would only allow authentication sessions from a specified host
   to the auth server through your inside firewall.
   
   I suppose you could setup two-stage authentication using an
   LDAP in the DMZ and then one on the private network.  You
   might not want to replicate in that case.  A little more work
   to manage, but that's always the case when making it more
   secure.
   
   jc

Thusly Thwacked By Christian Hammers:
> On Sun, May 20, 2001 at 11:23:04PM +0200, Torstein Tauno Svendsen wrote:
> > Well, if you place the LDAP server in the DMZ and use it for user
> > authentification on the internal network, you have a _huge_ problem if
> > the LDAP server machine gets compromised (i.e. evil cracker has
> > control over you accounts and passwords)
> if you place it on a dedicated host there's no much more ways to compromise 
> this server as if you'd put it into the internal network. 
> Of course, you should not put it onto the web server host!
>  
> > I've been thinking about the same problem, and at our site we are
> > planning to put separate LDAP servers in the DMZ, and use replication
> > to push changes to them from a master server on the internal network.
> > (Just have to find a way of preventing it from pushing atributes we
> > don't wan't published in the DMZ (i.e. the user passwords and such -
> > the ldap-servers in the DMZ will be used for mail-routing, so the
> > passwords are not needed)
> You could write a little script that reads the replication log or runs minutely
> and just updates choosen attributes on the DMZ host, i.e. don't use the buildin
> replication feature at all.
> 
> > Torstein
> bye,
> 
>  -christian-