No announcement yet.

LDAP intragration with Openldap

  • Filter
  • Time
  • Show
Clear All
new posts

  • LDAP intragration with Openldap


    Scenario: 2 DC's in Local Secure DMZ running Windows 2003 Srv AD

    18 Linux servers which need to query this AD server for LDAP information. 18 servers are in a different public DMZ with less security.

    For security reasons, we don't want all 18 servers talking to the DC's accross the DMZ zones. The prefered solution would be to use some kind of an LDAP gateway or bridge (not sure on correct term for this). So the 18 linux servers could query the ldap gateway which would sit in the same DMZ as the 18 servers. This gateway server would then in turn query the DC's in the local secure DMZ, thus reducing the amount of open ports needed at the firewall level.

    Can anyone recommend an ldap application to provide this for the gateway? Does such software even exist? It basically needs to act as an intermedium to allow all 18 servers communicate with the ldap provided by the 2 DC's.

    Many thanks for any help provided...

  • #2
    Re: LDAP intragration with Openldap

    I think an extra server is a higher risk than a properly configured firewall, but YMMV...

    Anyway, ADAM (Active Directory Application Mode) can do what you want. With R2 there is even a built-in sync tool for AD. ADAM is free with W2003.

    OTOH, I'm sure you can write something that will allow OpenLDAP to do the same thing.


    • #3
      Re: LDAP intragration with Openldap

      I tend to agree with wkasdo. If you take the proxy authentication route and choose either AD/AM or OpenLDAP (I have piloted both configurations, though for different purposes), you are limiting yourself to authentication via simple LDAP binds.

      The immediate implication is that if you do not secure the proxy LDAP server with TLS/SSL layer, all the passwords will trevel in clear text (not fun, ah ?).

      If you still want to proceed the OpenLDAP route, the userPassword field in OpenLDAP will have to be in a form of (depending on the OpenLDAP version):
      {KERBEROS}[email protected]
      {SASL}[email protected]
      If I am not mistaken, up to version 2.1.x you can use the first notion, and with 2.2x you can only use the second.

      This will make OpenLDAP realize that it should not authenticate the bind request locally, but rather forward it to KDC (a DC that will be configured in /etc/krb5.conf on the OpenLDAP server)
      Guy Teverovsky
      "Smith & Wesson - the original point and click interface"


      • #4
        Re: LDAP intragration with Openldap

        Thanks guys,

        I'll experiment with the ADAM route. It sounds like it could get quite complex taking the openldap route (esp. as I'm not that well up on linux)