3

We are in the process of setting up a DMZ and I have stumbled into the question of how to handle machines that need to have ports exposed to the internet, but at the same time be able to make LDAP requests to our internal environment. We have a few Linux applications that only work by making LDAP requests to authenticate users. I am not sure if we can configure Kerboros or not (still checking), but I believe it must be done via straight up LDAP queries.

What would you recommend doing with a machine that required LDAP and be exposed directly to the internal at the same time?

Thanks in advance!

user135409
  • 31
  • 2
  • Depends on your security setup; I do use whatever is needed. LDAP Proxys, mirrors or just firewall rules (allowing DMZ>LAN for those machines). – bjoster Jan 16 '19 at 11:10

1 Answers1

2

Well, I believe that the best option is to Setup a slave LDAP server inside the DMZ. The Master/Replica LDAP will push changes to the slave LDAP over SSL (even self-signed certificates are fine) and your clients will ask over SSL the Slave LDAP.

A "schema" is the following:

(Back End)Master LDAP-->Replica LDAP-->(Firewall)-->(DMZ) Slave LDAP

Peter
  • 822
  • 2
  • 10
  • 23