Dmitti Pal, the director at Red Hat who manages Red Hat IdM, says that IdM is great for internal stuff but you should use Directory Server for outside stuff or if you need a customized schema.  Both can be integrated with Red Hat SSO.

On Tue, May 21, 2019 at 1:19 PM Charles Hedrick via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
2 of our 3 IPA servers are exposed to the Internet. However we have a host firewall that limits the hosts that can access us. We use iptables with an ipset. I have a cron job that dumps a list of hosts known to IPA and adds them to the ipset. So basically we’ll only accept connections from hosts that we know about. That was easier for us to manage than to do things on a network basis, since we’ve got hosts in lots of subnets. I use the kdcproxy for working at home.

Initially I thought we’d expose the IPA web interface. But in the end users normally do things with custom web applications I’ve written, so we didn’t need to make the IPA web app available. My web application runs on a different server.

> On May 21, 2019, at 12:48 PM, Stepan Vardanyan via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
>
> Hi Natxo,
>
>> A vpn between data centers is a best practice. It does not have to be very
>> complex or expensive, openvpn comes to mind, but if you have no experience
>> with vpns I can understand that they can look very hard.
> I have enough experience with OpenVPN) The problem is that we have dozens of AWS accounts (or datacenters) so openvpn server should be set up in every account with proper monitoring, because if VPN fail authentication stop working (sssd cache save some time but it's still one point of failure). Things get worse if we stick with private DNS zone in FreeIPA. This requires setup local DNS forwarding in every AWS account. Maintaining this is pretty hard.
>
>> This is ok, I would probably bump tls to 1.2 but you may have applications
>> that do not work properly with that so you know better ;-)
> You guess correct) Some legacy applications still in place and they binded to LDAP
>
>> Take a look at the 'Security hardening' section of the documentation:
>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
> Thanks. WIll take a look
>
>> This is a bit unclear. All objects in the ldap servers are replicated (all
>> ldap servers are masters).
>>
>> You do not need to open the whole internet to your environmnent, you can
>> firewall everything but the hosts that need authenticating/authorizing.
> The problem is that AWS is kind of dynamic. If host not use elastic IP (static), but public it will change after instance started and stopped. Firewalling AWS hosts would be nightmare)
> As for HTTP. We would like to keep LDAP consistent. Actually we want master slave schema, trying to achieve it with that dirty way. Problem with multi master is that it give possibility for replication conflicts when simultaneous changes of one object from different replica take place. Even RFC exists which describe it https://tools.ietf.org/html/draft-zeilenga-ldup-harmful-00
>
> Thanks.
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry