here is the scenario: i got LDAP host located on an isp in the private network, i got one of my application server (i call it nakula) located on the same ISP and luckily designed to have private ip and public ip. so this one will not have a problem talking to LDAP server. but my other application server (and let’s call this one sadewa) is located on the other side of the world somewhere. these applications heavily dependant on directory entries kept in that LDAP server. nakula has 2 network interface, one is for serving it’s application to public therefore assigned public ip, and the other one is for talking to LDAP server, so private ip assigned to it. the problem is on sadewa, it has no physical connection to my LDAP server.
there are two options for me, one is to put LDAP server also on public ip, which is not preferable because the sensitivity of it’s contents. another option is to DNAT traffic from sadewa to LDAP server. last option is more visible, but it will cost me another dime. later i found the third option, which is more visible to me than the second one. the beauty of this approach is that it’s only involved ssh, and here are details of it:
- start from sadewa tell the application to talk to ldap on localhost/loopback address, say 127.0.0.1:389
- then, tell ssh to sit on 127.0.0.1:389 and for every packet arrived on that address:port, throw it out to port 11389 on nakula with ssh command, ie:
ssh -N -4 -Cg -L 389:nakula:22389 root@nakula
and pass everything come from nakula arriving from nakula:22389 back to application.
at this stage, from application point of view, it talks to LDAP server resides on localhost. - on nakula tell ssh to sit on nakula:22389 and for every packet arrived on that address, pass it through to port 389 on LDAP with ssh command, ie:
ssh -N -4 -Cg -L 22389:10.10.10.30:389 root@10.10.10.30
and pass everything come from 10.10.10.30 arriving from 10.10.10.30:389 back to sadewa through nakula22389
what i can accomplished with this approach? first, virtually cost me nothing, all needed is googling for ssh tunnel and brief testing. second, compressed and secured connection between my application server and LDAP server with ssh data compression and strong encryption features. and last one i found interesting is transparency. i can move my LDAP server anywhere, and all i have to do is to change ssh parameters. from preformance point of view, one can not tell the difference whether this is local or remote LDAP traffic.
Recent Comments