Depending on what firewall system you are using (ipchains vs. iptables) you might be better putting the LDAP server on the LAN and just have LDAP connections from the DMZ interface NAT'd to the LAN interface. Deny all LDAP access attempts from the WAN -> LAN channel so your LDAP server is properly protected. Basically this is sthe situation I am running into myself as I use LDAP to authenticate all servers on my network. The only difference is that I plan on allowing LDAPS (636/tcp) connections from the WAN->LAN and only LDAP (389/tcp) connections from DMZ->LAN. Jeremy Florian Friesdorf was said to been seen saying: > Hello all, > > I want to setup a private network behind a firewall. > The firewall also protects a DMZ with www/mail/ftp. > > Now, that's the point, I want the users on computers in the priviate lan > and the DMZ to be authenticated via LDAP. > Could you recommend to put the LDAP server into the DMZ or even onto > the firewall? > Or is there a better approach, to solve this? > > I thought about a dedicated LDAP Server in the DMZ with only ssh and > ldap ports open. > > > Please help, > florian > -- ,-----------------------------------------------------------------------------, |Jeremy T. Bouse, CCNA - UnderGrid Network Services, LLC - www.UnderGrid.net | | Public PGP/GPG fingerprint and location in headers of message | | If received unsigned (without requesting as such) DO NOT trust it! | | Jeremy.Bouse@UnderGrid.net - NIC Whois: JB5713 - jbouse@Debian.org | `-----------------------------------------------------------------------------'
Attachment:
pgpIxJodGrbfy.pgp
Description: PGP signature