0

I am developing a .net core API that will host on Azure. The main aim of this API is to connect with LDAP (On-premises). If the application hosts on-premises then there is no problem connecting with LDAP. But what are the options to connect with on-premises AD over the Internet?

Thanks.

Sorry, I forgot to mention the client is not interested in using VPN.

Imran Yaseen
  • 101
  • 3
  • 4
    `what are the options to connect with on-premises AD over the Internet?` A VPN – Greg Askew Jul 31 '23 at 15:46
  • Sorry, I forgot to mention the client is not interested in using VPN. I have updated my original question too. – Imran Yaseen Jul 31 '23 at 16:44
  • 4
    Well, you should provide what you *are* interested in. Everyone uses a VPN. You don't have any other options, unless you're looking for someone to validate for you to open a port in the firewall for LDAP, which is a terrible idea. – Greg Askew Jul 31 '23 at 17:42
  • 1
    Off topic: Requests for product, service, or learning material recommendations are off-topic because they attract low quality, opinionated and spam answers, and the answers become obsolete quickly. Instead, describe the business problem you are working on, the research you have done, and the steps taken so far to solve it. 2 – TomTom Jul 31 '23 at 18:46
  • 2
    You're getting strong objections to not using a VPN because putting AD DS on the internet is a terrible idea. The application is not hardened to face password brute forces and other nastiness. Theoretically there could use cases for LDAP in TLS over the internet, Azure AD DS will warn about internet facing and strongly recommend IP allow lists but allow you to do it https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-ldaps#lock-down-secure-ldap-access-over-the-internet – John Mahowald Aug 01 '23 at 02:15

1 Answers1

2
  • You can port-forward to your LDAP server(s) using LDAPS, which is LDAP secured by TLS. The connecting client (your app) will need to trust the certificate offered by the LDAPS server of course.
  • You can use an app proxy that publishes access via LDAPS, thus not requiring you to open up ports directly to the LDAP servers.
  • You can use a VPN.
mfinni
  • 36,144
  • 4
  • 53
  • 86