[Samba] Read Only DC in one way only

mailing-lists at ventora.net mailing-lists at ventora.net
Fri Sep 15 08:38:27 UTC 2017

Greetings to all,

I've got a quick question regarding the RODC functionality. We have a web
application in the DMZ, which has to use the user authentication from our
domain. So we want to use the LDAP backend to talk to the domain and check
the credentials. The problem we are running into right now is that the
webserver can not talk into the LAN and make requests via LDAP. So we
searched for a solution and found the ROCD. The idea is, that the ROCD is
located in the DMZ. The ROCD then gets replicated in only one way (First
question: is that even possible to talk in one way?), so we can ask the ROCD
via LDAP for the authentication.

MAIN DC (LAN) ---> ROCD (DMZ) (Only connections from inside to outside)

Web App (DMZ) --> ROCD (DMZ)

How would you solve this problem, that we need domain user accounts in the
"evil" internet? Of course, it would be a major security flaw if we opened
the DMZ ports to the LAN. So keep that in mind please.

We would be very pleased for an answer.

Greetings from Germany,

Robert Leuter

More information about the samba mailing list