Possible to use LDAP from protected network to log in users to DMZ?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Possible to use LDAP from protected network to log in users to DMZ?

Rikard Johnels

I am trying to set up a new and hopefully better network that we run today.

I have a ADSL router/Firewall with DMZ and VPN capabilities.
I also have a web/ftp server for both customers and company users that i want
to put in the DMZ.
And i would like the DMZ server to check its users against the LDAP server
thats on the green protected LAN.
All i want to do is have a centralized user handling system.
Most of the users that use the WEB/FTP server are clients that doesnt have any
LAN accounts
But the ones coming in from the LAN, also has access to the DMZ for publishing
their work.
Nothing is to penetrate the firewall from neither red nor yellow network into
the green one unless via VPN, and granted access via the LDAP server...

Am i making any sense here?
 
    |
[firewall]---------[DMZ]
    |
    |--------------[LDAP]
    |
    |--------------[USER]


How would i go about this thing??

       
--
         /Rikard

-----------------------------------------------------------------------------
email   : [hidden email]
web     : http://www.rikjoh.com
mob: : +46 (0)763 19 76 25
------------------------ Public PGP fingerprint ----------------------------
< 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78  46 1C EE 56 >

attachment0 (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Possible to use LDAP from protected network to log in users to DMZ?

Andy Smith-6
Rikard Johnels wrote:

> I am trying to set up a new and hopefully better network that we run today.
>
> I have a ADSL router/Firewall with DMZ and VPN capabilities.
> I also have a web/ftp server for both customers and company users that i want
> to put in the DMZ.
> And i would like the DMZ server to check its users against the LDAP server
> thats on the green protected LAN.
> All i want to do is have a centralized user handling system.
> Most of the users that use the WEB/FTP server are clients that doesnt have any
> LAN accounts
> But the ones coming in from the LAN, also has access to the DMZ for publishing
> their work.
> Nothing is to penetrate the firewall from neither red nor yellow network into
> the green one unless via VPN, and granted access via the LDAP server...
>
> Am i making any sense here?
>  
>     |
> [firewall]---------[DMZ]
>     |
>     |--------------[LDAP]
>     |
>     |--------------[USER]
>
>
> How would i go about this thing??
>
>

It appears that your choices are:

a.) Set up local accounts on the FTP server for internal users.

b.) Put an LDAP server in the DMZ and replicate via a vpn tunnel to the
internal LDAP directory

c.) Establish a vpn tunnel directly between the FTP server and the LDAP
server.

d.) If your firewall will allow it create a second DMZ with a vpn tunnel
to the FTP server and LDAP ports open from the green network.

If there are not many internal users that need access to the server then
a). is the simplest and, arguably, the most secure.

Regards,
Andy

--
----------------------
Andy Smith
[hidden email]
----------------------

--
Check the headers for your unsubscription address
For additional commands, e-mail: [hidden email]
Security-related bug reports go to [hidden email], not here