Re: Manageing Access To an LDAP server.

[Jon Roberts <jon@mentata.com>]

Jason C. Leach wrote:

> I have an LDAP server with all our posix accounts in it, hosts,
> and a corporate 'Contacts' for Outlook.  I would like to have
> a 'directory' service from our Website so people can lookup
> emploie work numbers, and email addresses.

This is a lot of stuff you wouldn't want accessible from the internet, I 
assume.

> This would require me to move LDAP to the webserver or give
> access to our intranet to the LDAP queries. Or run a seporate
> LDAP server on our Internet server.  The server is in a DMZ
> so fairly secure.

The most common approach I've seen is to leave the directory service on 
your intranet, and configure the DMZ to allow port 389 (or whatever) 
connections from the web server back to the directory server. If you do 
this, the application layer should be well-defined and secure, so that 
crafted or arbitrary requests couldn't be submitted.

A special note: if you use connection pooling, you may experience 
requests coming *from* the internal server's directory port to 
"arbitrary" ports on your internet server. If these requests are 
blocked, the pooled connection will hang. In other words, you may need 
to open an additional range of ports from the directory server to the 
DMZ machine to support connection pooling.

I've written Java servlets do this sort of thing, and have an open 
source gateway application that could be used to create a phone 
directory application, among other things. You can find out about it at:

http://www.mentata.com/ldaphttp/

I am not big on data replication, but it's also possible to duplicate 
your database (or a subset of it) to a machine in your DMZ as you 
mention. You could potentially be more secure, but you'd also have a 
high administration cost.

Jon Roberts
www.mentata.com