LDAP Synchronization

Posted on 2004-11-08
Medium Priority
Last Modified: 2012-06-21
I may have set this up totaly wrong...

I just moved my SLOX server into a DMZ.  Previously the SLOX machine was on the internal network with a pirvate IP address, sending and receiving Internet mail through my firewall.  It was also serving as the networks DNS and PDC (Samba & LDAP).

So, I've moved it out of the internal network into the DMZ.  I configured a different server (SLES 9) on the internal network to serve as a file server using Samba, a domain controller using Samba and a name server.  I also built a new LDAP directory for the internal network, while the mail server in the DMZ has its own LDAP directory.

Is this a good design?  How can I synchronize the LDAP directories accross the DMZ into the internal network without security risks?
Question by:etherbreeze
  • 2
LVL 40

Expert Comment

ID: 12528259
The only safe way would be to push changes in LDAP out to the server in the DMZ.

Author Comment

ID: 12533364
So, how exactly can I automate this?  The LDAP database on the internal network has everything: BIND data, Samba data, etc...  I really only want the mail server to receive password updates when a user changes their password.  Preferably, I would like for the mail server to receive these updates automatically - Is this just a simple change I make to a schema or conf file?  I would like to avoid using a cron job if possible...
LVL 40

Accepted Solution

jlevie earned 1000 total points
ID: 12536183
It won't be simple unless you are willing to compromise security by opening the firewall between the internal LDAP server and the machine in the DMZ so that the DMZ LDAP server could be a replica. The alternative to that would be something that runs from cron, detects the changes in LDAP, and interacts with the DMZ LDAP server to apply those updates.

Personally I'm not a big fan of having mail server's in a DMZ. In a corporate environment there's a risk of exposure of sensitive information if the server gets compromised and most organizations are pretty dependent on mail. So a server that exposed could be more easily penetrated and bought down.

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses
Course of the Month16 days, 11 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question