none
LDAP proxy?

    Question

  • We have several applications which are hosted/SaaS type deals.  These applications authenticate against our Active Directory.  Right now we punch holes through the firewall from the application servers to our AD domain controllers.  Not the best or most secure solution to be sure.  I'm wondering how we can do this better?  I'm picturing some type of LDAP proxy server that would sit in our DMZ and relay authentication requests from the external application server to the domain controllers.  I did a bit of Googling, but didn't find much in terms of an LDAP proxy.  Does such a thing exist?  Can LDS be an LDAP proxy?

    We only have 1 domain, so we don't need to worry about federation or anything like that.  But a bonus would be the ability to create accounts for users on the LDAP proxy server.  (In other words, sometimes we have to give access to a certain application for users who are not part of our organization... partners and such... right now we create AD accounts for them, but that's kinda kludgy.)

    Thanks!

    Tuesday, June 12, 2012 6:33 PM

Answers

All replies

  • We have several applications which are hosted/SaaS type deals.  These applications authenticate against our Active Directory.  Right now we punch holes through the firewall from the application servers to our AD domain controllers.  Not the best or most secure solution to be sure.  I'm wondering how we can do this better?  I'm picturing some type of LDAP proxy server that would sit in our DMZ and relay authentication requests from the external application server to the domain controllers.  I did a bit of Googling, but didn't find much in terms of an LDAP proxy.  Does such a thing exist?  Can LDS be an LDAP proxy?

    We only have 1 domain, so we don't need to worry about federation or anything like that.  But a bonus would be the ability to create accounts for users on the LDAP proxy server.  (In other words, sometimes we have to give access to a certain application for users who are not part of our organization... partners and such... right now we create AD accounts for them, but that's kinda kludgy.)

    Thanks!

    Tuesday, June 12, 2012 6:34 PM
  • Hello,

    AD FS is an option to use http://technet.microsoft.com/en-us/library/adfs2(v=ws.10).aspx Details about configuration please ask in http://social.msdn.microsoft.com/Forums/en-US/geneva/threads/


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Tuesday, June 12, 2012 6:40 PM
  • Hello,

    one thread per problem is enough, please stick to http://social.technet.microsoft.com/Forums/en/winserverDS/thread/7c593c3d-c907-4f5e-ae33-7dfa83467e68


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Tuesday, June 12, 2012 6:40 PM
  • Sorry, that was a mistake - the server gave me an error the first time so I submitted it again, then realized I had 2.
    Tuesday, June 12, 2012 7:06 PM
  • Hi

    AD LDS cannot be an LDAP Proxy as such. There a variety of third party tools that do provide that and open source solutions are also available, some of the commercial offerings are part of a virtual directory product, search will turn them up.

    In addition to the third-party tools you might want to add to your research are the use of bindproxy or userproxy objects in an AD LDS instance in DMZ or use of Read Only DC in DMZ (Perimeter network) or a separate forest with trust in DMZ. If you search around those terms you will find a lot of information on the limitations and scenarios that others have explored.

    Lee Flight

    Tuesday, June 12, 2012 9:48 PM
  • How about using RODC, a read only copy of a dc in your dmz?
    http://technet.microsoft.com/en-us/library/dd728034.aspx

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://blogs.dirteam.com/blogs/paulbergson  Twitter @pbbergs
    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Wednesday, June 13, 2012 1:53 AM
  • Hi,
     
    As this thread has been quiet for a while, we will mark it as ‘Answered’ as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.
      
    BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.
      
    Best Regards
      
    Kevin

    TechNet Community Support

    Monday, June 18, 2012 4:23 AM
  • AD FS is not the answer to this problem. AD FS is for federated web applications. The question raised was wanting to proxy LDAP requests/authentications.  The correct answer as one suggested is an LDAP proxy.  My company sells one that is built in the Microsoft .NET framework and will easily perform this task.  You could do a Read Only DC, but do you really want to put all of that data in the DMZ?  Think of recent data breaches. With a product like ours you can easily filter out and only present the data you want presented.   Take a look  when you have some time.

    http://optimalidm.com/our-products/ldap-proxy/

    Tuesday, June 24, 2014 3:34 PM