LDAP for Joomla web site on TMG 2010

Posted on 2011-05-03
Last Modified: 2012-06-27
We have joomla based an external web site (hosted by a hosting company) and I'd like to let the domain users use their creditentials on the web site aswell. Is it good idea publishing ldap to outside? Whats the best way to achieve that?

TMG 2010, Windows 2008 AD Environtment
Question by:teomcam
    LVL 1

    Assisted Solution

    I personally would not replicate a production corporate LDAP / AD to the internet or make it accessible to the internet.   You can do this securely though if you really want that integration:

    Get a dedicated IP for your hosting site so you are not shared and allow inbound port 636 (Secure LDAP) to a domain controller.  This adds some risk exposing your AD to the internet but you can firewall it and only allow to a static site.

    Guide here on LDAPS setup.  

    I would look into doing a replicated AD as well to assure not all your information is replicated or accessible, just basic LDAP credentials.   You may even be able to nightly batch to another LDAP solution, but getting passwords will be the problem.
    LVL 5

    Accepted Solution

    For use over the internet a Federated login model is best. ADFS can be is used for this.

    ADFS is part of Windows 2008.
    LVL 5

    Expert Comment

    You might consider using Forefront UAG 2010 as presentation and acces splatform for web applications integrated with directory service.

    UAG 2010 works at the top of TMG, so you have protection layer covered.
    Also, using UAG you will be able to easily publish web applications as well as allow VPN access through one consistent platform.

    Check this:

    Then you can publish Joomla through UAG which will mask all URLs and will control access to portal applications.
    What you can also do using UAG platform is control computers which are accessing portal if they comply with certain policies and requirements (recent updates, antivirus, etc..).
    And in future if you want you can use that to deploy DirectAccess for clients with Windows 7 as UAG gives you NAT64 ability as well.

    So, I would strongly recommend checkign this as platform for web application publishing as well as single-signon for multiple applications in internal network.
    LVL 8

    Author Comment

    Thanks for the details but please remember our web site hosting by a third party company not from our servers! Please correct me if I miss understood. Our web site will not be private only. It will be open public aswell and there might be parents, student as a member but only staff will use their domain user name password. Is that achievable?
    LVL 5

    Assisted Solution

    Right, I start thinking about solution and missed that point that website is hosted outside.
    UAG will be useful when you will be hosting your website and want to present it outside.

    In case you want to expose your AD outside and integrate 3rd party application recommended way will be ADFS as mentioned by xylog.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
    Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now