Hello all!
Thank you for looking at my question. As the title suggests we are rolling out a new software that is hosted offsite. And requires an LDAP connection to to our Active Directory store for user authentication and content management via security groups.
Of course our domain controllers are not accessible from the web. However, we do have a DMZ box that is able to communicate with the domain controller over LDAPS. This was configured for an unrelated project, whose software was installed on the DMZ box.
What I think I need is what I will call a "LDAP Proxy" that allows for LDAP(S) queries to be ran against the DMZ box which is then in turn actually querying the real domain controller. Can this be Done with AD LDS? If so, can it be done without
"mirroring" or Syncing the user accounts between AD DS and the LDS instance? I would prefer the service account to be the only account with the ability to run queries against the DMZ box. As that is all this software needs. It uses this "service"
account to lookup users to determine logins, and what content should be delivered to the users.
Of course I will layer on security by preventing any authentication request but those from the server that will be running the third party software.
Is there any recommendations for this type of setup? I would prefer to use microsoft products, and would prefer to avoid an RODC in the DMZ.
Thank you all for your support!