in general, no, I would say it's not a great idea, but sometimes requirements dictate that it has to be done. I've seen directories replicated out to a DMZ server to insulate things a bit, but I honestly don't see that as really improving security much, unless you are replicating non-sensitive information.
for starters you should not open port 389 and instead open port 636 (and do LDAP over SSL/TLS). In addition, you could open a different port on the firewall (say 6636) and forward that to 636 on the inside. Also, if the rule is for traffic originating from a specific IP, that is much better than allowing anything in. I think a lot of this depends on how secure your LDAP servers are... in reality you shouldn't be able to do anything destructive without the necessary credentials. Even though the transmission of credentials will be encrypted, it doesn't change the fact that your server could be compromised and passwords sniffed before they go over the wire. I think there's a lot of variables to consider - if it *must* be done it tends to make admins more comfortable if the LDAP client is in a DMZ segment, thus under a bit more control (and can have IDS, etc) rather than a random server out on the Internet. Dave Ross http://www.coldspringframework.org > Have an app that is remote from a network that is your standard > LDAP/AD > deal....the client's folks really want the remote app to authenticate > back via LDAP. > > > > Now, I don't want to open up 389 in the firewall at all; so for you > great CF minds out there....is it even remotely advisable to setup a > firewall rule to accept 389 LDAP requests from a single IP > address.....so this CF app can do its thing?? > > > > I always err on the side of no in these situations....but limiting it > to > a specific IP is decent...but relies on that system being correct and > free of breach....has others seen this go on? > > > > Thanks > > > > Eric > > -------------------------------------------------------- > > > Eric J. Hoffman > Managing Partner > 1940 Greeley Street South > Suite 102 > StillwaterMN55082 > mail: [EMAIL PROTECTED] > www: http://www.ejhassociates.com > tel: 651.717.4105 > fax: 651.717.4101 > mob: 651.245.2717 > Adobe Solutions Partner > Microsoft Certified Partner > > -------------------------------------------------------- > > This message contains confidential information and is intended only > for [EMAIL PROTECTED] If you are not [EMAIL PROTECTED] > com you should not disseminate, distribute or copy this e-mail. Please > notify [EMAIL PROTECTED] immediately by e-mail if you have > received this e-mail by mistake and delete this e-mail from your > system. E-mail transmission cannot be guaranteed to be secure or > error-free as information could be intercepted, corrupted, lost, > destroyed, arrive late or incomplete, or contain viruses. Eric J. > Hoffman therefore does not accept liability for any errors or > omissions in the contents of this message, which arise as a result of > e-mail transmission. If verification is required please request a > hard-copy version. > -------------------------------------------------------- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Get the answers you are looking for on the ColdFusion Labs Forum direct from active programmers and developers. http://www.adobe.com/cfusion/webforums/forum/categories.cfm?forumid-72&catid=648 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:285419 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
