Hello!
I'm trying to find the best solution for the following scenario:
A customer wants to authenticate AD-Users via LDAP in an Application hosted in an DMZ. I have read a lot about ADLDS now and came up with the following options.
First option: Seems a good fit for ADLDS and ADAMSYNC:
Application - ADLDS - |Firewall| - ADDS
But password should be in sync too... As it is a "small" customer, there is no FIM for password sync ect.
Second option: So I thought about using proxyUser, but this requires the ADLDS Server to be member of the domain, right? - A lot of fw-ports will be opened. Seems not the best solution for me.
The third option I thought about is using and RODC (in a dedicated site) on the internal network and just open 636 for LDAP authentication.
Application - |Firewall| - RODC
Seems a better solution than the proxyUser method.
So there will be two options "text-decoration:underline;">Option 1: Authentication with ADLDS and principal authentication (simple bind), and going with different user passwords for external and internal.
- Option 3: RODC in internal Network
Any advice here? Which option would you choose?