[Samba] RODC in DMZ

Kees van Vloten keesvanvloten at gmail.com
Fri Dec 13 13:15:01 UTC 2024


Op 13-12-2024 om 13:26 schreef Ilias Chasapakis forumZFD via samba:
> Der Rowland,
>
> We share that concerns actually and of course if there is a way to 
> avoid it, it is always better. Another fellow suggested us an 
> LDAP-Proxy instead (personally have never setup one). What we actually 
> need in our case scenario, is only that service and not the rest of 
> bells and whistles of an RODC.

Openldap-proxy is quite simple.

On Debian install slapd, then configure /etc/ldap/slapd.conf and 
/etc/default/slapd. The config files below allows read-only proxying of 
the DN-subtree, it listens to ldaps (tcp/636) and also forwards as ldaps 
to AD.

/etc/ldap/slapd.conf:

# Configuration to proxy subtree to AD backend

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/misc.schema

pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args

TLSDHParamFile /etc/ssl/certs/dhparam.pem
TLSCACertificateFile /etc/ssl/certs/ca.pem
# Enable tls by providing the server cert
TLSCertificateFile /etc/ssl/certs/<HOSTNAME>.crt
TLSCertificateKeyFile /etc/ssl/private/<HOSTNAME>.key

# loglevel 896 = acl-processing,stat,stat2, this logs queries and responses
#          -1 = enable all
loglevel 896

modulepath  /usr/lib/ldap/
moduleload  back_ldap
moduleload  back_meta
moduleload  memberof
moduleload  mr_passthru

# Per database settings
database meta

readonly yes
protocol-version 3
chase-referrals no
sizelimit 1000
suffix "<AD_BASE_DN>"

uri "ldaps://<FQDN-AD-DC-1>/<AD_BASE_DN>" "<FQDN-AD-DC-2>"

# It turns out we cannot limit:
#   - what is in a query (i.e. restrict it to a certain pattern)
#   - the bind-dn to a dn.subtree

# We can limit what is returned, i.e. only objects (users) from these 
dn.subtrees,
#   other output of a filter is silently dropped
access to dn.subtree="<DN-TO-WITH-READ-ACCESS>"
     by users read
     by * none

/etc/default/slapd:

SLAPD_USER="openldap"
SLAPD_GROUP="openldap"
SLAPD_PIDFILE=
SLAPD_SERVICES="ldaps:///"
SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
SLAPD_OPTIONS=""

I am using this for LDAP queries from my DMZ. It needs just one open 
port (tcp/636) and limits ldap-queries to permissions setup in 
slapd.conf (read on dn-subtree). That prevents unwanted open ports and 
the ability to enumerate the whole ldap-tree of AD from the DMZ. As you 
can see in the comment in slapd.conf, you can define the service-user-dn 
outside of the defined filter scope access, which is kind of a nice 
'feature'.

- Kees.

>
> I just was wondering if someone had experience with what happens if 
> one does actually close some of these ports which in the end are 
> unused (of course join and replication should also be able to go on). 
> The implications of opening anything on a DMZ to an internal network 
> are for sure not nice (even with very restricted accesses) unless 
> compromises are needed for practical reasons.
>
> Thanks for sharing your thought on this.
>
> Best
> Ilias
>
> Am 13.12.24 um 11:53 schrieb Rowland Penny via samba:
>> Well, personally, I wouldn't put anything to do with AD into a DMZ, but
>> that is probably just me. Any AD client in a DMZ (and that includes an
>> RODC) must 'talk' to an internal DC.
>>
>> If you must do this, Microsoft has documentation here:
>>
>> https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd728034(v=ws.10)?redirectedfrom=MSDN 
>>
>>
>> Rowland
>>
>>



More information about the samba mailing list