[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Manageing Access To an LDAP server.



Jason C. Leach wrote:

I have an LDAP server with all our posix accounts in it, hosts,
and a corporate 'Contacts' for Outlook.  I would like to have
a 'directory' service from our Website so people can lookup
emploie work numbers, and email addresses.

This is a lot of stuff you wouldn't want accessible from the internet, I assume.


This would require me to move LDAP to the webserver or give
access to our intranet to the LDAP queries. Or run a seporate
LDAP server on our Internet server.  The server is in a DMZ
so fairly secure.

The most common approach I've seen is to leave the directory service on your intranet, and configure the DMZ to allow port 389 (or whatever) connections from the web server back to the directory server. If you do this, the application layer should be well-defined and secure, so that crafted or arbitrary requests couldn't be submitted.


A special note: if you use connection pooling, you may experience requests coming *from* the internal server's directory port to "arbitrary" ports on your internet server. If these requests are blocked, the pooled connection will hang. In other words, you may need to open an additional range of ports from the directory server to the DMZ machine to support connection pooling.

I've written Java servlets do this sort of thing, and have an open source gateway application that could be used to create a phone directory application, among other things. You can find out about it at:

http://www.mentata.com/ldaphttp/

I am not big on data replication, but it's also possible to duplicate your database (or a subset of it) to a machine in your DMZ as you mention. You could potentially be more secure, but you'd also have a high administration cost.

Jon Roberts
www.mentata.com