Safe to expose Active Directory via LDAPS externally?

  • We currently access Active Directory via LDAPS internally for authentication and user data retrieval. Is it common, or safe, to expose this publicly over LDAPs?

    Addendum 1:

    Our business case, our Cloud based remote hosted web-application needs to authenticate end users with their local Active Directory.

  • halfbit

    halfbit Correct answer

    8 years ago

    Several cloud vendors require LDAP access to AD in order to authenticate users... I can name 10 off the top of my head; so it's not uncommon in a limited scope.

    I would say it is unwise to open up LDAP to the broad internet (no IP filter) without additional controls (VPN, authentication,etc)

    Since you're exposing your LDAP server to additional load, I would consider the impact it has on other AD-reliant applications like Exchange, or even workstation authentication. You may want to consider standing up a separate AD server in a separate logical site for this purpose. (Exchange has a tendency to touch all AD servers in a site)

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM