Recommendation & best practices to expose UCS LDAP to Internet?

UCS - Univention Corporate Server
#1

Hello,

we have a UCS master in private network and would like to expose LDAP service to public network; the main reason is to enable user authentication on public servers against UCS. What would be the recommended way to do that?

we are considering this setup:

  • DC slave with 2 NICs
  • one NIC connected to public net, but allow access from trusted IPs only; this will allow other public servers to connect to LDAP on DC slave
  • one NIC connected to private net so that it can talk to DC master

Would this be a reasonable way to do that?

Best regards,
Tony

#2

To be honest:

There is NO good way to do this!

You should NOT expose LDAP to public Internet!

In case you need to authenticate external servers use a VPN.

/CV

#3

can you please explain a bit more why a VPN is better? Let’s say I have one public server A that needs LDAP access. I am trying to compare the following:

(1) DC slave on public internet, but allows access ONLY from server A.

(2) connect A to DC slave in private net via a VPN.

if A is compromised, in case (1) the attacker would have to gain access to DC slave before he can access the private net. In case (2) the attacker would have access to the entire private net immediately. So it seems to me that case (1) would be slightly more secure than case (2)?

Tony

#4

Hi,

a VPN is -per design- focussed on security. So there would be less possible vulnerabilities. OpenLDAP is designed for a local network (LAN) and therefore its first focus is not on security. This should be enough why you will avoid to expose OpenLDAP to Internet.

If you are concerned about security you should create a local DMZ with only limited access to the UCS master. But I guess this will be too much for your small environment. But if you assume the server might get compromised you should improve security much more on your host.

You are right, in case A get compromised it might have access to your local lan (in case of not using a DMZ!). But this should not be an issue as hijacking an OpenLDAP server is much easier than an VPN. Harden your public server an only use a minimized set of services.

But it is just my opinion.

#5

thank you very much for your reply, it makes a lot of sense.

Regards,
Tony

Mastodon