Are you sure that's what they're asking, and that they aren't simply asking to have ldap access from some external IP address range which you'd provide via an inbound firewall rule with an ACL and NAT so that only their specific IP addresses can authenticate?
Not sure I'd be too comfortable with either, but the latter is much better than the former IMO. ________________________________ From: [email protected] [[email protected]] Sent: 22 September 2011 6:57 PM To: NT System Admin Issues Subject: LDAP\DC with a public IP We are getting a new product to report variances. It is web-based but using LDAP to authenticate users. The way it works is that a person can log a variance anonymously but then directors can use their AD credentials to log in and report their findings. My issue is that they want my two LDAP servers (which are my dc's) to have a public IP address. Even with ACL and security, I am very uncomfortable with having my DC's be "visible" on the 'net. From past experience of scanning my firewall logs, I know that a lot of times, hackers (or script kiddies) just use a range of public IP's to scan for vulnerabilities. Am I being unduly alarmist in my concern? Do other organizations attach a public IP to their LDAP servers? Thanks for any opinions you can give me. I have no problem going back to the people involved and saying ' I was wrong.' OTOH, I also have no problem telling them no way, you need to come up with a work around. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 100 1464 84 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
