External LDAP address - HELP!

[jabellamy]

Hi Everyone.

Can anyone help please?????

I'm curently working on a project that requires me to provide our ldap details to sync with a booking system held externally to get all our users to be able to login. All our current ldap enabled tasks are held within our private network and the settings i can see all point to an internal IP which is our DC. The software wants a different address containing a public IP as it comes in via the web and i'm unsure what it is. I've tried all sorts of combinations from ldap://dc.domain.local:389 to ldaps://dc.domain.local:636. I've even tried our proxy server A record DNS but still top no avail.

Any ideas where i might be going wrong? The software comapny says we should heve an external ldap address, but as a techie that didn't originally set it up, I can't find it!

Many thanks!!!

[Steve21]

The software wants a different address containing a public IP


I've tried all sorts of combinations from ldap://dc.domain.local:389 to ldaps://dc.domain.local:636

Surely if it wants a public IP, that'd be an external web address, not your internal domain. As that's not public. e.g. ldap.mydomain.com or whatever it's setup for. If you're trying all internal names, that wouldn't ever connect externally unless I'm missing something?

Steve

[jabellamy]

Thanks Steve. To be honest i'm confused too lol. I've tried that many different combinations. What would you expect it to look like? Any ideas? Where it would be setup? Basically i want an address to connect in......

[sidewinder]

As long as you have a single external IP address, you could set your firewall to forward all traffic on that port to one of your DCs, or so I would have thought. Might be some security considerations to think of though

[jabellamy]

Thanks sidewinder. Any ideas on how? Not ever delved into the port forwarding firewall area in the past.....

[Geoff]

Do not expose an Active Directory LDAP server to the internet.

[sidewinder]

Do not expose an Active Directory LDAP server to the internet.

Yeah was thinking it is probably a massive security risk. Ignore my advice jabellemy!

[Edu-IT]

Hi Everyone.

Can anyone help please?????

I'm curently working on a project that requires me to provide our ldap details to sync with a booking system held externally to get all our users to be able to login. All our current ldap enabled tasks are held within our private network and the settings i can see all point to an internal IP which is our DC. The software wants a different address containing a public IP as it comes in via the web and i'm unsure what it is. I've tried all sorts of combinations from ldap://dc.domain.local:389 to ldaps://dc.domain.local:636. I've even tried our proxy server A record DNS but still top no avail.

Any ideas where i might be going wrong? The software comapny says we should heve an external ldap address, but as a techie that didn't originally set it up, I can't find it!

Many thanks!!!

What software?

[localzuk]

Do not expose an Active Directory LDAP server to the internet.

Indeed. Doing so is a recipe for a security nightmare.

Reputable software providers usually provide a 'middle man' which either does the authentication part or relays information to the external server from within your network.

[januttall]

Indeed. Doing so is a recipe for a security nightmare.

Reputable software providers usually provide a 'middle man' which either does the authentication part or relays information to the external server from within your network.

i haven't done this, and I'm just asking. but if you put a firewall on the port forward so that only the External server's IP address is allowed in would that have sufficient security or not? as it's difficult to send a request from an incorrect IP and get a reply for the obvious reason. or are there other concerns ?

[Geoff]

It depends, if you're not using LDAPS then data is sent over the wire in clear text. You are also vulnerable to Man in the Middle attacks. If you don't lock it down on IP ranges then you are also vulnerable to information disclosure via anonymous rootDSE binds and brute force attacks (unfortunately Microsofts LDAP implementation is very efficient so 1000's of brute force password attempts can be serviced every second). You can mitigate the brute force attacks by using lockouts and a strong password policy (but I doubt that'd work so well in your environment) but any successful brute force and your entire AD structure is readable via LDAP. This obviously leads to other avenues of attack on other services relying on your AD authentication (websites, email, terminal services). It's just all round bad news from the get go.

If they really really need to access your LDAP you need to make them use a VPN.

[januttall]

It depends, if you're not using LDAPS then data is sent over the wire in clear text. You are also vulnerable to Man in the Middle attacks. If you don't lock it down on IP ranges then you are also vulnerable to information disclosure via anonymous rootDSE binds and brute force attacks (unfortunately Microsofts LDAP implementation is very efficient so 1000's of brute force password attempts can be serviced every second). You can mitigate the brute force attacks by using lockouts and a strong password policy (but I doubt that'd work so well in your environment) but any successful brute force and your entire AD structure is readable via LDAP. This obviously leads to other avenues of attack on other services relying on your AD authentication (websites, email, terminal services). It's just all round bad news from the get go.

If they really really need to access your LDAP you need to make them use a VPN.

Agreed. I use OPEN VPN on ubuntu. but i was interested in weather locking out all IP's Minus the external-server would be a viable alternative for the problem above, but if its plain text don't. it sounds as bad as FTP for security. as i don't know enough about How LDAP transfers data i thought i would ask.

[jabellamy]

Any one got an idea on how to redirect ldap requests on apache 2.2.9?

[localzuk]

Any one got an idea on how to redirect ldap requests on apache 2.2.9?

What do you mean? Apache is a HTTP/HTTPS server, not an LDAP server, so the 2 aren't related.

[AngryTechnician]

It strikes me that this is the sort of scenario that Active Directory Lightweight Directory Services (AD LDS) is designed for. I haven't implemented it myself though, and as usual, the MS documentation is not for the faint of heart.