Hi Natxo,
A vpn between data centers is a best practice. It does not have to be
very
complex or expensive, openvpn comes to mind, but if you have no experience
with vpns I can understand that they can look very hard.
I have enough experience
with OpenVPN) The problem is that we have dozens of AWS accounts (or datacenters) so
openvpn server should be set up in every account with proper monitoring, because if VPN
fail authentication stop working (sssd cache save some time but it's still one point
of failure). Things get worse if we stick with private DNS zone in FreeIPA. This requires
setup local DNS forwarding in every AWS account. Maintaining this is pretty hard.
This is ok, I would probably bump tls to 1.2 but you may have
applications
that do not work properly with that so you know better ;-)
You guess correct) Some
legacy applications still in place and they binded to LDAP
Thanks. WIll take a look
This is a bit unclear. All objects in the ldap servers are replicated
(all
ldap servers are masters).
You do not need to open the whole internet to your environmnent, you can
firewall everything but the hosts that need authenticating/authorizing.
The problem
is that AWS is kind of dynamic. If host not use elastic IP (static), but public it will
change after instance started and stopped. Firewalling AWS hosts would be nightmare)
As for HTTP. We would like to keep LDAP consistent. Actually we want master slave schema,
trying to achieve it with that dirty way. Problem with multi master is that it give
possibility for replication conflicts when simultaneous changes of one object from
different replica take place. Even RFC exists which describe it
https://tools.ietf.org/html/draft-zeilenga-ldup-harmful-00
Thanks.