On 4/8/21 5:24 PM, Michael Ströder wrote:
On 4/8/21 4:07 PM, work(a)seyboldt.org wrote:
> i need to open my LDAP-Directory to a public available Server.
> What is the best secure way to connect my LDAP-Server to my Public
This is a pretty broad question.
Good answers usually need more info:
- which kind of data is stored inside the LDAP server?
- how do LDAP clients access the server?
- which OS is the LDAP server running on?
- against which attacks do you want to protect your deployment?
- how is the data maintained?
- do you only need data integrity or also data confidentiality?
Some general security measures include:
- use TLS-protected connections everywhere (StartTLS or LDAPS)
- use decently secure authentication mechs
- implement secure OpenLDAP ACLs to protect the database content
- build stripped-down, specific OpenLDAP packages for your needs
- use systemd's sand-boxing options (if using systemd on Linux at all)
- use kernel-level MAC like SELinux or AppArmor (if OS is Linux)
- have decent monitoring
- implement decent metrics and log analysis (SIEM)
- maybe implement push-replication (depending on network architecture)