Stepan Vardanyan via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> writes:
Hello,
I've proposed to migrate from OpenLDAP to FreeIPA solution in my
organization because the former did not met our requirements as we
moving to Single Sign On. We migrated to FreeIPA but set it up with
internal DNS name. This was dumb decision as we have a lot of external
hosts in AWS and other datacenters which we want to join to our FreeIPA
for authentication with one credential and utilize policies (HBAC,
sudoers) easily and centrally.
We found that there is two solutions:
- setup tunnels between AWS and datacenters for making our DNS zone and FreeIPA servers
available;
- redeploy whole FreeIPA with external DNS name and expose FreeIPA servers to Internet.
We end up with second option because first one is very complex, but second option make us
think about security.
What came to mind is:
- disable anonymous bind;
- prohibit unencrypted traffic and improve communications security by using options:
nsslapd-minssf=128, nsslapd-require-secure-binds=on, sslVersionMin=TLS1.1.
So, there is several questions:
1) Is there anything else from security perspective that we should
care, configure properly (Kerberos DC for example)?
Kerberos is fine to expose. If you are concerned, it's possible to
limit the surface with kdcproxy - IPA already sets this up - and then
block port 88.
The main problem, though, with exposing services to the public internet
is handling unexpected load. If you can't handle it, then your system
effectively goes down under DOS.
3) How secure and strong is default SASL/GSSAPI replication
mechanism?
I've noticed that traffic is encrypted but can be decrypted by using
servers kerberos keytab
This is how Kerberos works, yes. A keytab is a bit like the private key
on a certificate (in this case). Keep your keytabs safe :)
Thanks,
--Robbie