Categories
Welcome Center
Education & Development
Discussions
Certification Preparation
Recent Posts
Groups
Free Resources
Ebooks
Free Workshops
Trending Certifications Infographic
Infosec Training
IT & Security Training
Live Boot Camps
Security Awareness Training
About Infosec Institute
Home
Discussions
Off Topic
Secure way to allow LDAP queries over the net?
Zartanasaurus
Pretty much what the title says. An outside vendor has a website our employees will be using. They want to be able to query our AD so they can use their employee credentials on the website instead of maintaining a separate database. Their pre-canned solution is us publishing an LDAPS port to the internet for them to query. While that has some security, combined with limiting the source address to their IP range via FW rules, I want to at least be able to limit their queries to one or two OUs and not be able to query the entire directory.
AD LDS doesn't have the ability to sync passwords and I don't think Federation Services is going to be an option.
Find more posts tagged with
Save $250 on 2025 certification boot camps from Infosec!
Book now with code EOY2025
Button
Comments
Everyone
Give the vendor an account that only has read permissions to a specific OU. Put everything you need to be picked up by the query in that OU (you can put sub-OUs under it if you want). Give them that OU as the search path.
I think you will have to set some deny permissions on this account for the areas you don't want them to see. IIRC the "Authenticated Users" group has read permissions by default in AD. So if you create an account and they set the root of the domain as the search path, instead of the search path you give them, they'd still be able to see objects outside of the OUs you want them to see it in, unless you explicitly deny that account permissions.
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
INFOSEC Boot Camps
$250
OFF
Use code
EOY2025
to receive $250 off your 2025 certification boot camp!
BROWSE BOOT CAMPS
