LDAP Synchronization

I may have set this up totaly wrong...

I just moved my SLOX server into a DMZ.  Previously the SLOX machine was on the internal network with a pirvate IP address, sending and receiving Internet mail through my firewall.  It was also serving as the networks DNS and PDC (Samba & LDAP).

So, I've moved it out of the internal network into the DMZ.  I configured a different server (SLES 9) on the internal network to serve as a file server using Samba, a domain controller using Samba and a name server.  I also built a new LDAP directory for the internal network, while the mail server in the DMZ has its own LDAP directory.

Is this a good design?  How can I synchronize the LDAP directories accross the DMZ into the internal network without security risks?
etherbreezeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jlevieCommented:
The only safe way would be to push changes in LDAP out to the server in the DMZ.
0
etherbreezeAuthor Commented:
So, how exactly can I automate this?  The LDAP database on the internal network has everything: BIND data, Samba data, etc...  I really only want the mail server to receive password updates when a user changes their password.  Preferably, I would like for the mail server to receive these updates automatically - Is this just a simple change I make to a schema or conf file?  I would like to avoid using a cron job if possible...
0
jlevieCommented:
It won't be simple unless you are willing to compromise security by opening the firewall between the internal LDAP server and the machine in the DMZ so that the DMZ LDAP server could be a replica. The alternative to that would be something that runs from cron, detects the changes in LDAP, and interacts with the DMZ LDAP server to apply those updates.

Personally I'm not a big fan of having mail server's in a DMZ. In a corporate environment there's a risk of exposure of sensitive information if the server gets compromised and most organizations are pretty dependent on mail. So a server that exposed could be more easily penetrated and bought down.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.