Putting the authentication server, be it LDAP or RADIUS, on the private newtork is most common from my experience. You would only allow authentication sessions from a specified host to the auth server through your inside firewall. I suppose you could setup two-stage authentication using an LDAP in the DMZ and then one on the private network. You might not want to replicate in that case. A little more work to manage, but that's always the case when making it more secure. jc
Thusly Thwacked By Christian Hammers: > On Sun, May 20, 2001 at 11:23:04PM +0200, Torstein Tauno Svendsen wrote: > > Well, if you place the LDAP server in the DMZ and use it for user > > authentification on the internal network, you have a _huge_ problem if > > the LDAP server machine gets compromised (i.e. evil cracker has > > control over you accounts and passwords) > if you place it on a dedicated host there's no much more ways to compromise > this server as if you'd put it into the internal network. > Of course, you should not put it onto the web server host! > > > I've been thinking about the same problem, and at our site we are > > planning to put separate LDAP servers in the DMZ, and use replication > > to push changes to them from a master server on the internal network. > > (Just have to find a way of preventing it from pushing atributes we > > don't wan't published in the DMZ (i.e. the user passwords and such - > > the ldap-servers in the DMZ will be used for mail-routing, so the > > passwords are not needed) > You could write a little script that reads the replication log or runs > minutely > and just updates choosen attributes on the DMZ host, i.e. don't use the > buildin > replication feature at all. > > > Torstein > bye, > > -christian-
