My company currently uses Zimbra for its email. Our mail server is configured as a standalone Zimbra server. We also maintain a separate LDAP server. We have decided to consolidate all of our LDAP resources into a single server, and that the canonical source should be the mail server and not our other LDAP server.
The mail server resides in our DMZ. It makes me very uncomfortable to have our master password database stored in the DMZ, so I would prefer that the master LDAP server reside in the LAN, and the mail server be configured as a replica LDAP server. I realize that this does not provide a great deal more security - a password stolen from a replica server is just as valid as one stolen from the master - but it is a significant enough security gain that I am eager to implement it.
My plan is then to configure a machine to serve as an LDAP replica, with our mail server as the LDAP master, and eventually promote that machine to master status per
the instructions in the wiki. There is one small snag to this plan - the mail server resides in the DMZ and must continue to reside in the DMZ for the time being so that our employees can access their email from outside of our network. I'm planning on doing this by configuring the LDAP master to push updates to the mail server by means of <pre>syncrepl</pre> (as described in the
OpenLDAP administrator's guide).
My question, then: has anyone done this (and documented their progress somewhere I can see it?) Alternatively, can anyone recommend a better way to do this? I don't believe moving the mail server into the LAN is an option - our employees must be able to access their email, contacts, and calendar outside of our network.
Bugzilla
Wiki
Source
Implementation plans 
Linear Mode
