On 11/11/06, Rickard Oberg <[EMAIL PROTECTED]> wrote: > Marc-Antoine Garrigue wrote: > > Hi Rickard, > > Could you explain what requirements/limitations of your context leads > > to locate the CAS Server A in the internal netword instead of the DMZ? > > Very simple: there is NO way that security-minded(/paranoid) people > would put their LDAP directory with their authentication information in > a DMZ.
This make sense. >Since the authentication server needs access to the LDAP > directory for login, the whole scheme breaks down. > > Hasn't this been encountered before? How do other people solve this? You may let the LDAP in the internal network and establish a secured trust channel between your CAS Server in the DMZ and the LDAP in the internal network. > > > About deploying a ticket manager service in the DMZ, with ticket > > replication between A and C, this could be done using a distributed > > ticket registry (next release). > > Alright, sounds good. > > But as above, I'm really curious how people reason about this problem > today. This network topology issues seems kind of critical for the whole > idea. > > /Rickard I may have missed something : I don't get why this configuration ( server CAS and WEB in the DMZ, LDAP behind a firewall in the internal network) differs from a classical 3 tiers architecture? MAG > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > -- Best regards. Marc-Antoine Garrigue _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
