Hi, I successfully configured LDAP on nethserver to join my AD domain. I have now a server in DMZ which cannot see the domain controller because they’re in different VLAN. But I was thinking: can I use the ldap replicas of the Nethserver? If I telnet the 389 port of my nethserver from a Green client it works, but if I telnet the same port from an Orange IP it does not repond. Can I allow LDAP query through Orange? Thank you all for this great support forum!
well…
creating holes in your firewall is not a smart idea…
I strongly suggest you to re-design your infra and think about what you need and where, then act.
don’t get me wrong, but green/orange/red zones exist to assure some security… one rule is that (generally), lan is invisible from outside, and “outside”, here, is red and orange…
You could do something like this:
- Go to “Network services” page
- Edit the slapd servrice
- Select “Access only from green networks”
- Add the IP of your servers inside the the orange into the “Allow hosts” field
1 Like
With this mod the port is now responding. But I cannot connect to ldap, I get this message “Bind failed: Invalid DN syntax”. Maybe I’m trying to use Ldap in a wrong way? Nethserver is connected in ldap to my active directory domain (green network) and I’m trying to connect to the nethserver ldap replica through orange interface. Is that possible?
As far as I know, you can’t bind to LDAP from a network machine.
This is OpenLDAP voodoo, take a look at this: Authenticate Linux Clients against LDAP
Thank you Giacomo. I solved using port forwarding and redirecting the port 389 from orange to green only between two ip. Now my linux server in dmz makes query LDAP directly to Active directory Server. Thank You for your support
1 Like
I come back to this older thread. My constellation is the same: There is a Nethserver AD controller inside the LAN and a NS webserver in the DMZ. Connecting from the webserver to the AD LDAP does not give me any errors. The credentials have been tested with LDAP-Admin and are okay. But the user and group list are empty.
Btw, there is no slapd service in the Network services list.
Any idea?