Christian Hammers <[EMAIL PROTECTED]> writes: > On Sun, May 20, 2001 at 03:15:01PM -0400, Jeremy T. Bouse wrote: > > Depending on what firewall system you are using (ipchains vs. iptables) > > you might be better putting the LDAP server on the LAN and just have LDAP > > connections from the DMZ interface NAT'd to the LAN interface. Deny all LDAP > > access attempts from the WAN -> LAN channel so your LDAP server is properly > > protected. > > Wouldn't it be better to place the LDAP server into the DMZ? In case nothing > evel happens it doesn't make a difference but in case the LDAP server gets > cracked you could use the gained (normal) UID to exploit local root bugs > in the intranet. Ok, very hypotetical, but which drawbacks would have > putting it into the DMZ?
Well, if you place the LDAP server in the DMZ and use it for user authentification on the internal network, you have a _huge_ problem if the LDAP server machine gets compromised (i.e. evil cracker has control over you accounts and passwords) I've been thinking about the same problem, and at our site we are planning to put separate LDAP servers in the DMZ, and use replication to push changes to them from a master server on the internal network. (Just have to find a way of preventing it from pushing atributes we don't wan't published in the DMZ (i.e. the user passwords and such - the ldap-servers in the DMZ will be used for mail-routing, so the passwords are not needed) -- Torstein
