Putting the authentication server, be it LDAP or RADIUS, on
the private newtork is most common from my experience. You
would only allow authentication sessions from a specified host
to the auth server through your inside firewall.
I suppose you could setup two-stage authentication using an
LDAP in the DMZ and then one on the private network. You
might not want to replicate in that case. A little more work
to manage, but that's always the case when making it more
secure.
jc
Thusly Thwacked By Christian Hammers:
> On Sun, May 20, 2001 at 11:23:04PM +0200, Torstein Tauno Svendsen wrote:
> > Well, if you place the LDAP server in the DMZ and use it for user
> > authentification on the internal network, you have a _huge_ problem if
> > the LDAP server machine gets compromised (i.e. evil cracker has
> > control over you accounts and passwords)
> if you place it on a dedicated host there's no much more ways to compromise
> this server as if you'd put it into the internal network.
> Of course, you should not put it onto the web server host!
>
> > I've been thinking about the same problem, and at our site we are
> > planning to put separate LDAP servers in the DMZ, and use replication
> > to push changes to them from a master server on the internal network.
> > (Just have to find a way of preventing it from pushing atributes we
> > don't wan't published in the DMZ (i.e. the user passwords and such -
> > the ldap-servers in the DMZ will be used for mail-routing, so the
> > passwords are not needed)
> You could write a little script that reads the replication log or runs minutely
> and just updates choosen attributes on the DMZ host, i.e. don't use the buildin
> replication feature at all.
>
> > Torstein
> bye,
>
> -christian-
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
