Hello,
I've proposed to migrate from OpenLDAP to FreeIPA solution in my organization because
the former did not met our requirements as we moving to Single Sign On. We migrated to
FreeIPA but set it up with internal DNS name. This was dumb decision as we have a lot of
external hosts in AWS and other datacenters which we want to join to our FreeIPA for
authentication with one credential and utilize policies (HBAC, sudoers) easily and
centrally.
We found that there is two solutions:
- setup tunnels between AWS and datacenters for making our DNS zone and FreeIPA servers
available;
- redeploy whole FreeIPA with external DNS name and expose FreeIPA servers to Internet.
We end up with second option because first one is very complex, but second option make us
think about security.
What came to mind is:
- disable anonymous bind;
- prohibit unencrypted traffic and improve communications security by using options:
nsslapd-minssf=128, nsslapd-require-secure-binds=on, sslVersionMin=TLS1.1.
So, there is several questions:
1) Is there anything else from security perspective that we should care, configure
properly (Kerberos DC for example)?
2) We want to share with users only one Web service from specific replica so users will
not cause replication conflicts by modifying entries in other replicas. Is it ok if we
close web ports (80, 443) only to localhost on other replicas and leave all other ports on
all replicas opened to internet (389,636,88,464)?
3) How secure and strong is default SASL/GSSAPI replication mechanism? I've noticed
that traffic is encrypted but can be decrypted by using servers kerberos keytab
4) Overall, even with all previous concerns taken into account cared is it proper to open
FreeIPA to internet? This is kinda rhetorical question as we see that this is only choice
for us but just want to hear some advices, expert vision.
P.S. We don't utilize FreeIPA internal DNS service. DNS is configured on external
hosts
Thanks in advance.