Hey,
i need to open my LDAP-Directory to a public available Server.
What is the best secure way to connect my LDAP-Server to my Public server? I thought about a proxy to my Firewall there I could specify requests to my LDAP-Server, or is there a better or an official way to do this?
Thanks,
RMs3Q
On 4/8/21 4:07 PM, work@seyboldt.org wrote:
i need to open my LDAP-Directory to a public available Server.
What is the best secure way to connect my LDAP-Server to my Public server?
This is a pretty broad question.
Good answers usually need more info: - which kind of data is stored inside the LDAP server? - how do LDAP clients access the server? - which OS is the LDAP server running on? - against which attacks do you want to protect your deployment?
Some general security measures include: - use TLS-protected connections everywhere (StartTLS or LDAPS) - use decently secure authentication mechs - implement secure OpenLDAP ACLs to protect the database content - build stripped-down, specific OpenLDAP packages for your needs - use systemd's sand-boxing options (if using systemd on Linux at all) - use kernel-level MAC like SELinux or AppArmor (if OS is Linux)
Ciao, Michael.
On 4/8/21 5:24 PM, Michael Ströder wrote:
On 4/8/21 4:07 PM, work@seyboldt.org wrote:
i need to open my LDAP-Directory to a public available Server.
What is the best secure way to connect my LDAP-Server to my Public server?
This is a pretty broad question.
Good answers usually need more info:
- which kind of data is stored inside the LDAP server?
- how do LDAP clients access the server?
- which OS is the LDAP server running on?
- against which attacks do you want to protect your deployment?
Some more: - how is the data maintained? - do you only need data integrity or also data confidentiality?
Some general security measures include:
- use TLS-protected connections everywhere (StartTLS or LDAPS)
- use decently secure authentication mechs
- implement secure OpenLDAP ACLs to protect the database content
- build stripped-down, specific OpenLDAP packages for your needs
- use systemd's sand-boxing options (if using systemd on Linux at all)
- use kernel-level MAC like SELinux or AppArmor (if OS is Linux)
Some more: - have decent monitoring - implement decent metrics and log analysis (SIEM) - maybe implement push-replication (depending on network architecture)
Ciao, Michael.
Thanks for your Reply, and sorry for my late reply.
- do you only need data integrity or also data confidentiality?
Data confidentiality since it will be read only just for User-Auth.
- which kind of data is stored inside the LDAP server?
Employee data like names, E-Mail, password
- how do LDAP clients access the server?
We want to connect our public git with our local UCS-Server (just for Auth)
- which OS is the LDAP server running on?
Debian 9
- against which attacks do you want to protect your deployment?
We only want to do Gittea user Auth against UCS/LDAP, therefore Proxy/Filter came into our mind to filter out only the needed requests. E.g. in order to Auth a User you don't need to query its telephone number.
openldap-technical@openldap.org
-
Michael Ströder -
work@seyboldt.org