Secure way to allow LDAP queries over the net?

ZartanasaurusZartanasaurus Member Posts: 2,008 ■■■■■■■■□□
Pretty much what the title says. An outside vendor has a website our employees will be using. They want to be able to query our AD so they can use their employee credentials on the website instead of maintaining a separate database. Their pre-canned solution is us publishing an LDAPS port to the internet for them to query. While that has some security, combined with limiting the source address to their IP range via FW rules, I want to at least be able to limit their queries to one or two OUs and not be able to query the entire directory.

AD LDS doesn't have the ability to sync passwords and I don't think Federation Services is going to be an option.
Currently reading:
IPSec VPN Design 44%
Mastering VMWare vSphere 5​ 42.8%


  • EveryoneEveryone Member Posts: 1,661
    Give the vendor an account that only has read permissions to a specific OU. Put everything you need to be picked up by the query in that OU (you can put sub-OUs under it if you want). Give them that OU as the search path.

    I think you will have to set some deny permissions on this account for the areas you don't want them to see. IIRC the "Authenticated Users" group has read permissions by default in AD. So if you create an account and they set the root of the domain as the search path, instead of the search path you give them, they'd still be able to see objects outside of the OUs you want them to see it in, unless you explicitly deny that account permissions.
Sign In or Register to comment.