Make LDAP/AD in intranet available to webapplications in extranet

Hello!
I have a very general question regarding making the user authentication available to webapplications.

In my Intranet behind a firewall I have an UCS(master, no slaves) running as DC. Currently every incoming traffic from outside the intranet is blocked.
We now have a Nextcloud instance running on a webserver outside our intranet. Soon there will be a Gitlab instance, too.

Is it a good idea to just open the ports for AD/LDAP from the firewall to let the webapplications(Nextcloud, Gitlab) connect to it?
Or should we setup a slave UCS, where Nextcloud connects to?
What is a good and safe strategy to handle that? Can you give any recommendations, how you are doing that?

Thank you,
Andreas

I have one Slave in DMZ VLAN running.

And how does the slave connect to master from a seperate VLAN?

Over a firewallrule with UTM filter on the central Firewall/Gateway.

Hi @workpush,

yes, I would also recommend a dedicated slave replica server as long as the LDAP access is read-only.
Also remember to only use LDAPS connections and use limited account.

Further read:

• [HowTo] Use letsencrypt certificates for LDAPS connections (via stunnel)
• UCS and security hardening