Is it generally acceptable to expose LDAP in read only mode to the Internet?

active-directory ldap openldap smime rodc

Solution 1:

It depends completely on what's in the LDAP directory.

For Active Directory, absolutely not, even for an RODC - the security profile of these devices is designed for being inside your network (the RODC specifically is hardened against physical compromise, so you can keep it in a closet - a physical compromise of a normal DC would give an attacker control of the domain and all users' password hashes).

An attacker could gain a mountain of information from AD - usernames to try to authenticate with, system names, some amount of network topology.. if not enough to attack with directly (password attacks against a different public endpoint, like VPN?), certainly enough to put together a solid social engineering or spear phishing attack.

Solution 2:

No, it would not be generally acceptable. Not sure what you are trying to achieve but I would say the correct way is to first establish a VPN connection and then connect to LDAP.

Related

Image file to spreadsheet
How can a Virtualbox host connect to a guest VM when host wireless is disabled / host Ethernet cable is unplugged?
Easy Transfer from a dead computer
Web development testing - view website without all my fonts installed?
GNU Parallel is behaving differently on SIGTERM in two cygwin installations
does the Intel UHD Graphics Support OpenGL 2.1?
SFTP permissions issue for a user
Connect geny motion emulator to the internet
AutoHotKey script switching between virtual desktop using ^!LButton and ^!RButton highlights one app from the start menu
What could be the reason that my "Displayport To HDMI Adapter" does not work?
How to find malware on my Linux server?
copy file from one Linux machine to another in a intranet