8 Apr
2021
8 Apr
'21
8:29 a.m.
On 4/8/21 5:24 PM, Michael Ströder wrote:
On 4/8/21 4:07 PM, work@seyboldt.org wrote:
i need to open my LDAP-Directory to a public available Server.
What is the best secure way to connect my LDAP-Server to my Public server?
This is a pretty broad question.
Good answers usually need more info:
- which kind of data is stored inside the LDAP server?
- how do LDAP clients access the server?
- which OS is the LDAP server running on?
- against which attacks do you want to protect your deployment?
Some more: - how is the data maintained? - do you only need data integrity or also data confidentiality?
Some general security measures include:
- use TLS-protected connections everywhere (StartTLS or LDAPS)
- use decently secure authentication mechs
- implement secure OpenLDAP ACLs to protect the database content
- build stripped-down, specific OpenLDAP packages for your needs
- use systemd's sand-boxing options (if using systemd on Linux at all)
- use kernel-level MAC like SELinux or AppArmor (if OS is Linux)
Some more: - have decent monitoring - implement decent metrics and log analysis (SIEM) - maybe implement push-replication (depending on network architecture)
Ciao, Michael.