7:07 a.m.
Hey,
i need to open my LDAP-Directory to a public available Server.
What is the best secure way to connect my LDAP-Server to my Public server?
I thought about a proxy to my Firewall there I could specify requests to my LDAP-Server,
or is there a better or an official way to do this?
Thanks,
RMs3Q
8:24 a.m.
On 4/8/21 4:07 PM, work(a)seyboldt.org wrote:
i need to open my LDAP-Directory to a public available Server.
What is the best secure way to connect my LDAP-Server to my Public
server?
This is a pretty broad question.
Good answers usually need more info:
- which kind of data is stored inside the LDAP server?
- how do LDAP clients access the server?
- which OS is the LDAP server running on?
- against which attacks do you want to protect your deployment?
Some general security measures include:
- use TLS-protected connections everywhere (StartTLS or LDAPS)
- use decently secure authentication mechs
- implement secure OpenLDAP ACLs to protect the database content
- build stripped-down, specific OpenLDAP packages for your needs
- use systemd's sand-boxing options (if using systemd on Linux at all)
- use kernel-level MAC like SELinux or AppArmor (if OS is Linux)
Ciao, Michael.
8:29 a.m.
On 4/8/21 5:24 PM, Michael Ströder wrote:
On 4/8/21 4:07 PM, work(a)seyboldt.org wrote:
> i need to open my LDAP-Directory to a public available Server.
>
> What is the best secure way to connect my LDAP-Server to my Public
> server?
This is a pretty broad question.
Good answers usually need more info:
- which kind of data is stored inside the LDAP server?
- how do LDAP clients access the server?
- which OS is the LDAP server running on?
- against which attacks do you want to protect your deployment?
Some more:
- how is the data maintained?
- do you only need data integrity or also data confidentiality?
Some general security measures include:
- use TLS-protected connections everywhere (StartTLS or LDAPS)
- use decently secure authentication mechs
- implement secure OpenLDAP ACLs to protect the database content
- build stripped-down, specific OpenLDAP packages for your needs
- use systemd's sand-boxing options (if using systemd on Linux at all)
- use kernel-level MAC like SELinux or AppArmor (if OS is Linux)
Some more:
- have decent monitoring
- implement decent metrics and log analysis (SIEM)
- maybe implement push-replication (depending on network architecture)
Ciao, Michael.
5:38 a.m.
Thanks for your Reply, and sorry for my late reply.
- do you only need data integrity or also data confidentiality?
Data confidentiality since it will be read only just for User-Auth.
- which kind of data is stored inside the LDAP server?
Employee
data like names, E-Mail, password
- how do LDAP clients access the server?
We want to connect our
public git with our local UCS-Server (just for Auth)
- which OS is the LDAP server running on?
Debian 9
- against which attacks do you want to protect your deployment?
We only want to do Gittea user Auth against UCS/LDAP, therefore Proxy/Filter came
into our mind to
filter out only the needed requests. E.g. in order to Auth a User you don't need to
query its
telephone number.
780
days inactive
791
days old
openldap-technical@openldap.org
3 comments
2 participants
participants (2)
-
Michael Ströder -
work@seyboldt.org