LDAP Synchronization

Posted on 2004-11-08
Last Modified: 2012-06-21
I may have set this up totaly wrong...

I just moved my SLOX server into a DMZ.  Previously the SLOX machine was on the internal network with a pirvate IP address, sending and receiving Internet mail through my firewall.  It was also serving as the networks DNS and PDC (Samba & LDAP).

So, I've moved it out of the internal network into the DMZ.  I configured a different server (SLES 9) on the internal network to serve as a file server using Samba, a domain controller using Samba and a name server.  I also built a new LDAP directory for the internal network, while the mail server in the DMZ has its own LDAP directory.

Is this a good design?  How can I synchronize the LDAP directories accross the DMZ into the internal network without security risks?
Question by:etherbreeze
    LVL 40

    Expert Comment

    The only safe way would be to push changes in LDAP out to the server in the DMZ.

    Author Comment

    So, how exactly can I automate this?  The LDAP database on the internal network has everything: BIND data, Samba data, etc...  I really only want the mail server to receive password updates when a user changes their password.  Preferably, I would like for the mail server to receive these updates automatically - Is this just a simple change I make to a schema or conf file?  I would like to avoid using a cron job if possible...
    LVL 40

    Accepted Solution

    It won't be simple unless you are willing to compromise security by opening the firewall between the internal LDAP server and the machine in the DMZ so that the DMZ LDAP server could be a replica. The alternative to that would be something that runs from cron, detects the changes in LDAP, and interacts with the DMZ LDAP server to apply those updates.

    Personally I'm not a big fan of having mail server's in a DMZ. In a corporate environment there's a risk of exposure of sensitive information if the server gets compromised and most organizations are pretty dependent on mail. So a server that exposed could be more easily penetrated and bought down.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
    Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now