Don Munyak <[EMAIL PROTECTED]> wrote: > I am sorry I was a little too vague. I was hoping to avoid exposing > the fact that the servers in the DMZ are win2003. Oh well...the > cats outta the bag.
Well, I'm a bit "anal" on security. I've put Windows ADS servers in a DMZ before, but I used a UNIX server as the KDC for authentication _seperate_ from them. It was in another DMZ and _only_ port 88 was open to it from that DMZ or the LAN. It was not straight-forward either (ADS doesn't like the KDC to be on a non-ADS server), but despite what you might have read, it _is_ possible. ;-> It really all depends on how much you want to protect your authorization. > Our DMZ is currently in our main office. This will change to a colo > in the next few months. Since tape backup is not really an option > for the colo, I was looking into using a NAS and automating RSYNC > between the servers and the NAS, primarily just the data. I've had great success with sychronizing ADS to Netscape Directory Server (NsDS) over the years. You basically setup NsDS on your UNIX servers and then add a synchronization program to one of your ADS DCs. Netscape Directory Server 7.1 is still available in binary format as Fedora Directory Server 7.1 (or Red Hat Directory Server 7.1 as a commercial option) from the Fedora Directory Server project here: http://directory.fedora.redhat.com/wiki/Special:Download Otherwise, the newer Fedora Directory Server 1.0.2 release, which is now a completely GPL/MPL licensed solution, has progressed to the point that is works very well and is considered version 7.2 (possibly the next Red Hat Directory Server product version number?). Only 2 modules had to be changed for licensing reasons. I have not personally used it yet though: http://directory.fedora.redhat.com/wiki/Download > I read in the DOC's that I need to tie OpenFiler into some sort of > Authentication server, either LDAP, NIS, AD. Since I really don't > see a point of adding another Windows server just for > authentication, I was thinking (hoping) of using the > Openfiler/CenTos box with LDAP. ??? Are your Windows servers in the DMZ also ADS DCs? If so, then why can't you just use them? You should be able to use at least NTLMv2 for authentication, if not Kerberos (with some, additional setup), and then also LDAP access (with minor, additional setup) for user/group mappings. > I don't want public/guest access, as most of the data will need > to be protected from prying eyes. I read in another thread about > allowing guest access...but limiting access based on machine, and > not some UID/GID. In this case I presume LDAP would not be used. Correct. Share-level access can be protected in such a way. > So having cleared this up, am I over-complicating things by trying > to inegrate LDAP ? No. But you shouldn't have to add another server, if your existing Windows servers are already ADS DCs. -- Bryan J. Smith Professional, Technical Annoyance [EMAIL PROTECTED] http://thebs413.blogspot.com -------------------------------------------------- I'm a Democrat. No wait, I'm a Republican. Hmm, it seems I'm just whatever someone disagrees with. _______________________________________________ Openfiler-users mailing list [email protected] https://lists.openfiler.com/mailman/listinfo/openfiler-users
