On Thu, 7 Oct 2010, Mathieu Baudier wrote:
You can also use StartTLS over the network and LDAPI (connection over Unix sockets, which are inherently secure) for apps running on the server. I use it, both with OpenLDAP and 389 Directory Server (a.k.a. Fedora DS, Red Hat DS).
Unfortunately, I have a whole LAN whose user/group/auth management is centralized with LDAP (each server having different apps). So I need plain LDAP access on the LAN.
One possible solution is to have the main LDAP server addressable only via STARTTLS and a non-SSL, read-only slave on a different host that's visible only to your LAN.
Read up on the "syncrepl" directive for use in slapd.conf.
The slave could even exist in a VM hosted on the main LDAP server, since it's a very lightweight service.