[Samba] Read Only DC in one way only
mailing-lists at ventora.net
mailing-lists at ventora.net
Fri Sep 15 08:38:27 UTC 2017
Greetings to all,
I've got a quick question regarding the RODC functionality. We have a web
application in the DMZ, which has to use the user authentication from our
domain. So we want to use the LDAP backend to talk to the domain and check
the credentials. The problem we are running into right now is that the
webserver can not talk into the LAN and make requests via LDAP. So we
searched for a solution and found the ROCD. The idea is, that the ROCD is
located in the DMZ. The ROCD then gets replicated in only one way (First
question: is that even possible to talk in one way?), so we can ask the ROCD
via LDAP for the authentication.
MAIN DC (LAN) ---> ROCD (DMZ) (Only connections from inside to outside)
Web App (DMZ) --> ROCD (DMZ)
How would you solve this problem, that we need domain user accounts in the
"evil" internet? Of course, it would be a major security flaw if we opened
the DMZ ports to the LAN. So keep that in mind please.
We would be very pleased for an answer.
Greetings from Germany,
Robert Leuter
More information about the samba
mailing list