| Author | Messages | |
WEHNERPL@xxxx.yyy
 | | 09/15/2005 1:36 AM |
| We are an edu and have an outside entity requesting access to our
exchange 2003 address book.
I was thinking about creating a proxy user and giving it limited search
rights in AD
(name, email, phone, dept) and acl'ing 389 to the other orgs network.
Is this possible?
Thanks,
Paul
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| Alm@xxxx.yyy
| | 09/15/2005 1:42 AM |
| It is, but have you considered an alternate method? Maybe a secured web page vs. 389 access to the network?? A web service?
What are the risks that you see in your organization and are trying to mitigate vs. the rewards? How real-time does this need to be?
Allowing access is easy. Doing it in a way that meets your risk tolerance and return on time spent is different and requires a better understanding of your goals and environmental factors.
Al
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Wehner, Paul (wehnerpl)
Sent: Thursday, September 15, 2005 9:35 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Publish ldap externally
We are an edu and have an outside entity requesting access to our exchange 2003 address book.
I was thinking about creating a proxy user and giving it limited search rights in AD (name, email, phone, dept) and acl'ing 389 to the other orgs network.
Is this possible?
Thanks,
Paul
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| paul.van.geldrop@xxxx.yyy
| | 09/15/2005 2:07 AM |
| ________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Al Mulnick
Sent: Thu 9/15/2005 3:44 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Publish ldap externally
It is, but have you considered an alternate method? Maybe a secured web page vs. 389 access to the network?? A web service?
What are the risks that you see in your organization and are trying to mitigate vs. the rewards? How real-time does this need to be?
Allowing access is easy. Doing it in a way that meets your risk tolerance and return on time spent is different and requires a better understanding of your goals and environmental factors.
Al
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Wehner, Paul (wehnerpl)
Sent: Thursday, September 15, 2005 9:35 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Publish ldap externally
We are an edu and have an outside entity requesting access to our exchange 2003 address book.
I was thinking about creating a proxy user and giving it limited search rights in AD (name, email, phone, dept) and acl'ing 389 to the other orgs network.
Is this possible?
Thanks,
Paul
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
> | | | |
| WEHNERPL@xxxx.yyy
| | 09/16/2005 2:34 AM |
| My initial idea too complicated and political.
We're going to deploy a separate ldap (novell) server for
trusted external entities.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Geldrop, Paul
vanSent: Thursday, September 15, 2005 9:52 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Publish ldap
externally
ADAM in a DMZ, perhaps
?
Allowing LDAP queries into your domain
sounds risky to me. Proxying into your own AD gives me the chills, quite frankly
:P
Another option might be to extract the data
periodically through a script and publish it to a secure webpage, like Al
suggests. Bit more work, but also much more secure imho.
Regards,
Paul.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on
behalf of Al MulnickSent: Thu 9/15/2005 3:44 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Publish ldap
externally
It is, but have you considered an alternate method? Maybe a
secured web page vs. 389 access to the network?? A web
service? What are the risks that you see in your organization and
are trying to mitigate vs. the rewards? How real-time does this need to
be?Allowing access is easy. Doing it in a way that meets your risk
tolerance and return on time spent is different and requires a better
understanding of your goals and environmental
factors.Al-----Original Message-----From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Wehner, Paul (wehnerpl)Sent: Thursday, September 15, 2005 9:35
AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Publish ldap
externallyWe are an edu and have an outside entity requesting
access to our exchange 2003 address book.I was thinking about creating a
proxy user and giving it limited search rights in AD (name, email, phone, dept)
and acl'ing 389 to the other orgs network.Is this
possible?Thanks,PaulList info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List
info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
|