[Date Prev][Date Next]
Re: Manageing Access To an LDAP server.
Jason C. Leach wrote:
I have an LDAP server with all our posix accounts in it, hosts,
and a corporate 'Contacts' for Outlook. I would like to have
a 'directory' service from our Website so people can lookup
emploie work numbers, and email addresses.
This is a lot of stuff you wouldn't want accessible from the internet, I
This would require me to move LDAP to the webserver or give
access to our intranet to the LDAP queries. Or run a seporate
LDAP server on our Internet server. The server is in a DMZ
so fairly secure.
The most common approach I've seen is to leave the directory service on
your intranet, and configure the DMZ to allow port 389 (or whatever)
connections from the web server back to the directory server. If you do
this, the application layer should be well-defined and secure, so that
crafted or arbitrary requests couldn't be submitted.
A special note: if you use connection pooling, you may experience
requests coming *from* the internal server's directory port to
"arbitrary" ports on your internet server. If these requests are
blocked, the pooled connection will hang. In other words, you may need
to open an additional range of ports from the directory server to the
DMZ machine to support connection pooling.
I've written Java servlets do this sort of thing, and have an open
source gateway application that could be used to create a phone
directory application, among other things. You can find out about it at:
I am not big on data replication, but it's also possible to duplicate
your database (or a subset of it) to a machine in your DMZ as you
mention. You could potentially be more secure, but you'd also have a
high administration cost.