On 4/8/21 5:24 PM, Michael Ströder wrote: > On 4/8/21 4:07 PM, [email protected] wrote: >> i need to open my LDAP-Directory to a public available Server. >> >> What is the best secure way to connect my LDAP-Server to my Public >> server? > > This is a pretty broad question. > > Good answers usually need more info: > - which kind of data is stored inside the LDAP server? > - how do LDAP clients access the server? > - which OS is the LDAP server running on? > - against which attacks do you want to protect your deployment?
Some more: - how is the data maintained? - do you only need data integrity or also data confidentiality? > Some general security measures include: > - use TLS-protected connections everywhere (StartTLS or LDAPS) > - use decently secure authentication mechs > - implement secure OpenLDAP ACLs to protect the database content > - build stripped-down, specific OpenLDAP packages for your needs > - use systemd's sand-boxing options (if using systemd on Linux at all) > - use kernel-level MAC like SELinux or AppArmor (if OS is Linux) Some more: - have decent monitoring - implement decent metrics and log analysis (SIEM) - maybe implement push-replication (depending on network architecture) Ciao, Michael.
