I still have some legacy applications that require LDAP instead of newer options like SAML or OIDC. Since I'm hosting this setup in the DMZ, my network team wants to minimize firewall access to the LAN, which makes sense. I'm hoping to find a straightforward LDAP proxy that I can easily deploy in the DMZ and direct these applications to use for authentication against Active Directory (AD). I have a PKI in place and can obtain a certificate for the host if I decide to go with LDAPS. Does anyone have recommendations for a ready-to-use configuration?
2 Answers
Have you thought about using a Read-Only Domain Controller (RODC) in the DMZ? Just make sure it’s set up correctly to keep things secure!
You could definitely find several LDAP proxy solutions online. Just a heads up, if you're using two-factor authentication (2FA), tools like Duo's Auth Proxy could be integrated. If 2FA isn't a necessity, something like nginx with the auth_ldap module can do a solid job without overcomplicating things.
Good call on Duo's proxy! It really works well if you're already in their ecosystem. nginx is nice too for a simpler setup.