[KLUG Members] LDAP access question.

[Adam Williams]

>Is it reasonably safe to run a LDAP server (the one that comes with
>Redhat 7.3) outside of a firewall, or allow access to it through the
>firewall?  

Yes, there are many public LDAP servers (sort of the whole point),
including one hosted by OpenLDAP itself.

>i.e.  Does a LDAP server fall into the same category as Apache (outside
>access okay if configured correctly), 

Yes.  You are of course exposed to many of the same vulnerabilities as
apache.  If there is an overflow bug in glibc, etc...

>or does it fall in the the "NFS"
>category where access is never safe outside a firewall?

No.

>_If_ it's reasonably safe through a firewall, which port(s) that should
>be allowed/denied access?  

389 for unencrypted LDAP, 636 for SSL encrypted LDAP.  Personally, I'd
only open the latter.

>Any other security considerations?

If the remotes don't need to mod the directory I like to make a
read-only replicant and expose him rather than the master.  Or depending
on what the remotes need,  just replicate a subtree to the public
server.  But if your access control rules make sense you are pretty safe
anyway you go.