+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 16
Windows Server 2008 Thread, External LDAP address - HELP! in Technical; Hi Everyone. Can anyone help please????? I'm curently working on a project that requires me to provide our ldap details ...
  1. #1

    Join Date
    Nov 2010
    Location
    Sheffield
    Posts
    10
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    External LDAP address - HELP!

    Hi Everyone.

    Can anyone help please?????

    I'm curently working on a project that requires me to provide our ldap details to sync with a booking system held externally to get all our users to be able to login. All our current ldap enabled tasks are held within our private network and the settings i can see all point to an internal IP which is our DC. The software wants a different address containing a public IP as it comes in via the web and i'm unsure what it is. I've tried all sorts of combinations from ldap://dc.domain.local:389 to ldaps://dc.domain.local:636. I've even tried our proxy server A record DNS but still top no avail.

    Any ideas where i might be going wrong? The software comapny says we should heve an external ldap address, but as a techie that didn't originally set it up, I can't find it!

    Many thanks!!!

  2. #2

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,696
    Thank Post
    335
    Thanked 515 Times in 483 Posts
    Rep Power
    179
    Quote Originally Posted by jabellamy View Post
    The software wants a different address containing a public IP


    I've tried all sorts of combinations from ldap://dc.domain.local:389 to ldaps://dc.domain.local:636
    Surely if it wants a public IP, that'd be an external web address, not your internal domain. As that's not public. e.g. ldap.mydomain.com or whatever it's setup for. If you're trying all internal names, that wouldn't ever connect externally unless I'm missing something?

    Steve

  3. #3

    Join Date
    Nov 2010
    Location
    Sheffield
    Posts
    10
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks Steve. To be honest i'm confused too lol. I've tried that many different combinations. What would you expect it to look like? Any ideas? Where it would be setup? Basically i want an address to connect in......

  4. #4

    Join Date
    Jul 2006
    Location
    London
    Posts
    2,962
    Thank Post
    159
    Thanked 152 Times in 116 Posts
    Rep Power
    49
    As long as you have a single external IP address, you could set your firewall to forward all traffic on that port to one of your DCs, or so I would have thought. Might be some security considerations to think of though

  5. #5

    Join Date
    Nov 2010
    Location
    Sheffield
    Posts
    10
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks sidewinder. Any ideas on how? Not ever delved into the port forwarding firewall area in the past.....

  6. #6

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    Do not expose an Active Directory LDAP server to the internet.

  7. #7

    Join Date
    Jul 2006
    Location
    London
    Posts
    2,962
    Thank Post
    159
    Thanked 152 Times in 116 Posts
    Rep Power
    49
    Quote Originally Posted by Geoff View Post
    Do not expose an Active Directory LDAP server to the internet.
    Yeah was thinking it is probably a massive security risk. Ignore my advice jabellemy!

  8. #8

    Edu-IT's Avatar
    Join Date
    Nov 2007
    Posts
    7,140
    Thank Post
    403
    Thanked 622 Times in 568 Posts
    Rep Power
    181
    Quote Originally Posted by jabellamy View Post
    Hi Everyone.

    Can anyone help please?????

    I'm curently working on a project that requires me to provide our ldap details to sync with a booking system held externally to get all our users to be able to login. All our current ldap enabled tasks are held within our private network and the settings i can see all point to an internal IP which is our DC. The software wants a different address containing a public IP as it comes in via the web and i'm unsure what it is. I've tried all sorts of combinations from ldap://dc.domain.local:389 to ldaps://dc.domain.local:636. I've even tried our proxy server A record DNS but still top no avail.

    Any ideas where i might be going wrong? The software comapny says we should heve an external ldap address, but as a techie that didn't originally set it up, I can't find it!

    Many thanks!!!
    What software?

  9. #9

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,689
    Thank Post
    516
    Thanked 2,455 Times in 1,899 Posts
    Blog Entries
    24
    Rep Power
    833
    Quote Originally Posted by Geoff View Post
    Do not expose an Active Directory LDAP server to the internet.
    Indeed. Doing so is a recipe for a security nightmare.

    Reputable software providers usually provide a 'middle man' which either does the authentication part or relays information to the external server from within your network.

  10. #10
    januttall's Avatar
    Join Date
    Sep 2010
    Posts
    225
    Thank Post
    17
    Thanked 28 Times in 28 Posts
    Blog Entries
    1
    Rep Power
    14
    Quote Originally Posted by localzuk View Post
    Indeed. Doing so is a recipe for a security nightmare.

    Reputable software providers usually provide a 'middle man' which either does the authentication part or relays information to the external server from within your network.
    i haven't done this, and I'm just asking. but if you put a firewall on the port forward so that only the External server's IP address is allowed in would that have sufficient security or not? as it's difficult to send a request from an incorrect IP and get a reply for the obvious reason. or are there other concerns ?

  11. #11

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    It depends, if you're not using LDAPS then data is sent over the wire in clear text. You are also vulnerable to Man in the Middle attacks. If you don't lock it down on IP ranges then you are also vulnerable to information disclosure via anonymous rootDSE binds and brute force attacks (unfortunately Microsofts LDAP implementation is very efficient so 1000's of brute force password attempts can be serviced every second). You can mitigate the brute force attacks by using lockouts and a strong password policy (but I doubt that'd work so well in your environment) but any successful brute force and your entire AD structure is readable via LDAP. This obviously leads to other avenues of attack on other services relying on your AD authentication (websites, email, terminal services). It's just all round bad news from the get go.

    If they really really need to access your LDAP you need to make them use a VPN.
    Last edited by Geoff; 16th October 2012 at 12:11 PM.

  12. #12
    januttall's Avatar
    Join Date
    Sep 2010
    Posts
    225
    Thank Post
    17
    Thanked 28 Times in 28 Posts
    Blog Entries
    1
    Rep Power
    14
    Quote Originally Posted by Geoff View Post
    It depends, if you're not using LDAPS then data is sent over the wire in clear text. You are also vulnerable to Man in the Middle attacks. If you don't lock it down on IP ranges then you are also vulnerable to information disclosure via anonymous rootDSE binds and brute force attacks (unfortunately Microsofts LDAP implementation is very efficient so 1000's of brute force password attempts can be serviced every second). You can mitigate the brute force attacks by using lockouts and a strong password policy (but I doubt that'd work so well in your environment) but any successful brute force and your entire AD structure is readable via LDAP. This obviously leads to other avenues of attack on other services relying on your AD authentication (websites, email, terminal services). It's just all round bad news from the get go.

    If they really really need to access your LDAP you need to make them use a VPN.
    Agreed. I use OPEN VPN on ubuntu. but i was interested in weather locking out all IP's Minus the external-server would be a viable alternative for the problem above, but if its plain text don't. it sounds as bad as FTP for security. as i don't know enough about How LDAP transfers data i thought i would ask.

  13. #13

    Join Date
    Nov 2010
    Location
    Sheffield
    Posts
    10
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Any one got an idea on how to redirect ldap requests on apache 2.2.9?

  14. #14

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,689
    Thank Post
    516
    Thanked 2,455 Times in 1,899 Posts
    Blog Entries
    24
    Rep Power
    833
    Quote Originally Posted by jabellamy View Post
    Any one got an idea on how to redirect ldap requests on apache 2.2.9?
    What do you mean? Apache is a HTTP/HTTPS server, not an LDAP server, so the 2 aren't related.

  15. #15

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,212 Times in 761 Posts
    Rep Power
    394
    It strikes me that this is the sort of scenario that Active Directory Lightweight Directory Services (AD LDS) is designed for. I haven't implemented it myself though, and as usual, the MS documentation is not for the faint of heart.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 2
    Last Post: 23rd February 2011, 08:19 PM
  2. External Shared Driver Help
    By tommccann in forum Windows Server 2000/2003
    Replies: 1
    Last Post: 6th December 2010, 10:14 AM
  3. Domain Name -> IP Address Help
    By Hightower in forum How do you do....it?
    Replies: 7
    Last Post: 13th October 2010, 12:05 PM
  4. ISA server 2006 external IP addressing
    By nicholab in forum Windows
    Replies: 1
    Last Post: 12th March 2009, 04:01 PM
  5. Exchnage 2003 - External Email addresses!!!
    By marvin in forum Windows Server 2000/2003
    Replies: 6
    Last Post: 28th January 2009, 12:49 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •