[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: LDAP, DMZ, private lan



	Depending on what firewall system you are using (ipchains vs. iptables)
you might be better putting the LDAP server on the LAN and just have LDAP
connections from the DMZ interface NAT'd to the LAN interface. Deny all LDAP
access attempts from the WAN -> LAN channel so your LDAP server is properly
protected.

	Basically this is sthe situation I am running into myself as I use
LDAP to authenticate all servers on my network. The only difference is that
I plan on allowing LDAPS (636/tcp) connections from the WAN->LAN and only
LDAP (389/tcp) connections from DMZ->LAN.

	Jeremy

Florian Friesdorf was said to been seen saying:
> Hello all,
> 
> I want to setup a private network behind a firewall.
> The firewall also protects a DMZ with www/mail/ftp.
> 
> Now, that's the point, I want the users on computers in the priviate lan
> and the DMZ to be authenticated via LDAP.
> Could you recommend to put the LDAP server into the DMZ or even onto
> the firewall?
> Or is there a better approach, to solve this?
> 
> I thought about a dedicated LDAP Server in the DMZ with only ssh and
> ldap ports open.
> 
> 
> Please help,
> florian
> 



-- 
,-----------------------------------------------------------------------------,
|Jeremy T. Bouse, CCNA - UnderGrid Network Services, LLC -  www.UnderGrid.net |
|        Public PGP/GPG fingerprint and location in headers of message        |
|     If received unsigned (without requesting as such) DO NOT trust it!      |
| Jeremy.Bouse@UnderGrid.net   -   NIC Whois: JB5713   -   jbouse@Debian.org  |
`-----------------------------------------------------------------------------'

Attachment: pgpfW9hJcMIiy.pgp
Description: PGP signature


Reply to: