I'm developing an enterprise cloud application and am addressing the security issues that I will face when using the PHP LDAP library to connect to customer networks to retrieve user objects.
Firstly there's the issue that my clients will have to open up their network to my webservers which, to many, is a huge security risk. Most would even say no to creating firewall rules allowing LDAP queries from my public IPs only.
Secondly the connection would have to remain available at all times so that my application can poll and detect new, disabled and deleted user objects. This further increases the risk factor for my clients.
The third issue is ensuring I only receive read rights to my clients AD server - how can I ensure that my clients do not accidentally give us write access to their AD? Can I, with PHP, query the permissions of the domain account provided and, if write is included, refuse to accept/store the credentials?
Does anyone have any better suggestions? I can establish an API on my end to listen for and accept instructions from a script my clients can host but that's a pain in the ass - definitely fixes up the security issues though.
There are so many ways of connecting to an LDAP server but not many articles about the best way of synchronising with an LDAP server in a private network from a server on the public network.
Advice desperately needed :)
Thank you!
Too many vauge statements, but here is a try.
The third issue is ensuring I only receive read rights to my clients AD server - how can I ensure that my clients do not accidentally give us write access to their AD? Can I, with PHP, query the permissions of the domain account provided and, if write is included, refuse to accept/store the credentials?
Sure, why not. But you may have rights to your entry but not others.
Does anyone have any better suggestions?
I could not even imagine getting access to any, and certainly not large, organizations LDAP over the Internet. Even if it were secure as an API. You really need an API interface like OAuth or OpenID Connect.