Re: LDAP, DMZ, private lan
On Sun, May 20, 2001 at 11:23:04PM +0200, Torstein Tauno Svendsen wrote:
> Well, if you place the LDAP server in the DMZ and use it for user
> authentification on the internal network, you have a _huge_ problem if
> the LDAP server machine gets compromised (i.e. evil cracker has
> control over you accounts and passwords)
if you place it on a dedicated host there's no much more ways to compromise
this server as if you'd put it into the internal network.
Of course, you should not put it onto the web server host!
> I've been thinking about the same problem, and at our site we are
> planning to put separate LDAP servers in the DMZ, and use replication
> to push changes to them from a master server on the internal network.
> (Just have to find a way of preventing it from pushing atributes we
> don't wan't published in the DMZ (i.e. the user passwords and such -
> the ldap-servers in the DMZ will be used for mail-routing, so the
> passwords are not needed)
You could write a little script that reads the replication log or runs minutely
and just updates choosen attributes on the DMZ host, i.e. don't use the buildin
replication feature at all.