I have a very general question regarding making the user authentication available to webapplications.
In my Intranet behind a firewall I have an UCS(master, no slaves) running as DC. Currently every incoming traffic from outside the intranet is blocked.
We now have a Nextcloud instance running on a webserver outside our intranet. Soon there will be a Gitlab instance, too.
Is it a good idea to just open the ports for AD/LDAP from the firewall to let the webapplications(Nextcloud, Gitlab) connect to it?
Or should we setup a slave UCS, where Nextcloud connects to?
What is a good and safe strategy to handle that? Can you give any recommendations, how you are doing that?