Dmitti Pal, the director at Red Hat who manages Red Hat IdM, says that IdM
is great for internal stuff but you should use Directory Server for outside
stuff or if you need a customized schema. Both can be integrated with Red
Hat SSO.
On Tue, May 21, 2019 at 1:19 PM Charles Hedrick via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
2 of our 3 IPA servers are exposed to the Internet. However we have a
host
firewall that limits the hosts that can access us. We use iptables with an
ipset. I have a cron job that dumps a list of hosts known to IPA and adds
them to the ipset. So basically we’ll only accept connections from hosts
that we know about. That was easier for us to manage than to do things on a
network basis, since we’ve got hosts in lots of subnets. I use the kdcproxy
for working at home.
Initially I thought we’d expose the IPA web interface. But in the end
users normally do things with custom web applications I’ve written, so we
didn’t need to make the IPA web app available. My web application runs on a
different server.
> On May 21, 2019, at 12:48 PM, Stepan Vardanyan via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
>
> Hi Natxo,
>
>> A vpn between data centers is a best practice. It does not have to be
very
>> complex or expensive, openvpn comes to mind, but if you have no
experience
>> with vpns I can understand that they can look very hard.
> I have enough experience with OpenVPN) The problem is that we have
dozens of AWS accounts (or datacenters) so openvpn server should be set up
in every account with proper monitoring, because if VPN fail authentication
stop working (sssd cache save some time but it's still one point of
failure). Things get worse if we stick with private DNS zone in FreeIPA.
This requires setup local DNS forwarding in every AWS account. Maintaining
this is pretty hard.
>
>> This is ok, I would probably bump tls to 1.2 but you may have
applications
>> that do not work properly with that so you know better ;-)
> You guess correct) Some legacy applications still in place and they
binded to LDAP
>
>> Take a look at the 'Security hardening' section of the documentation:
>>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/.
..
> Thanks. WIll take a look
>
>> This is a bit unclear. All objects in the ldap servers are replicated
(all
>> ldap servers are masters).
>>
>> You do not need to open the whole internet to your environmnent, you can
>> firewall everything but the hosts that need authenticating/authorizing.
> The problem is that AWS is kind of dynamic. If host not use elastic IP
(static), but public it will change after instance started and stopped.
Firewalling AWS hosts would be nightmare)
> As for HTTP. We would like to keep LDAP consistent. Actually we want
master slave schema, trying to achieve it with that dirty way. Problem with
multi master is that it give possibility for replication conflicts when
simultaneous changes of one object from different replica take place. Even
RFC exists which describe it
https://tools.ietf.org/html/draft-zeilenga-ldup-harmful-00
>
> Thanks.
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry