Angus Clarke via FreeIPA-users wrote:
Hello
We have a single mesh of FreeIPA servers in several different locations, we capture logs (apache ErrorLog directive) to a log server in each of those locations. When auditors ask us questions we have to trawl log servers from all locations as our IdM administrators might have used any of the IdM servers to make changes.
To limit that access to one site, I am considering stopping and disabling apache on all IdM servers at other sites and just wanted to check there are no unintended consequences in that action.
I'm not looking for enforcement, merely a means of persuading the team to use the web interface or command line tools at one site.
It's completely untested so if something went wrong you'd be pretty far out on the ledge.
You're purposely creating a single-point-of-failure. You'd need to work out some system to transition the web server to another server.
The chosen server would need to run a CA, otherwise it will try to find one and fail at connecting since the CA connect is proxied through Apache.
Establishing a new CA would likewise almost certainly be problematic.
The ipa-ca CNAME is used so clients can use OCSP. You'd have to manually limit this value to only the available web server. Same with CRL.
Running other administrative commands on those hosts would fail miserably (ipa-certupdate, ipa-cacert-manage for sure).
I'm not certain if ipa-server-upgrade which is also run at package installation needs local API access. IPA servers make certain assumptions about what basic services are available.
So this could well be the kind of thing that seems to work, you relax and forget about it, then all heck breaks loose.
Either way, masking/stopping the service wouldn't really work since it is managed via ipactl. You'd have to mark the service as disabled in IPA, and I'm not sure you can do that to an IPA service so you'd probably have to do it manually using ldapmodify.
rob
Thanks for your input Rob - you've said enough to scare me off the topic!
Cheers Angus
________________________________ From: Rob Crittenden rcritten@redhat.com Sent: 08 October 2020 20:52 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Angus Clarke angus@charworth.com Subject: Re: [Freeipa-users] Stop/Disable Apache on IdM servers
Angus Clarke via FreeIPA-users wrote:
Hello
We have a single mesh of FreeIPA servers in several different locations, we capture logs (apache ErrorLog directive) to a log server in each of those locations. When auditors ask us questions we have to trawl log servers from all locations as our IdM administrators might have used any of the IdM servers to make changes.
To limit that access to one site, I am considering stopping and disabling apache on all IdM servers at other sites and just wanted to check there are no unintended consequences in that action.
I'm not looking for enforcement, merely a means of persuading the team to use the web interface or command line tools at one site.
It's completely untested so if something went wrong you'd be pretty far out on the ledge.
You're purposely creating a single-point-of-failure. You'd need to work out some system to transition the web server to another server.
The chosen server would need to run a CA, otherwise it will try to find one and fail at connecting since the CA connect is proxied through Apache.
Establishing a new CA would likewise almost certainly be problematic.
The ipa-ca CNAME is used so clients can use OCSP. You'd have to manually limit this value to only the available web server. Same with CRL.
Running other administrative commands on those hosts would fail miserably (ipa-certupdate, ipa-cacert-manage for sure).
I'm not certain if ipa-server-upgrade which is also run at package installation needs local API access. IPA servers make certain assumptions about what basic services are available.
So this could well be the kind of thing that seems to work, you relax and forget about it, then all heck breaks loose.
Either way, masking/stopping the service wouldn't really work since it is managed via ipactl. You'd have to mark the service as disabled in IPA, and I'm not sure you can do that to an IPA service so you'd probably have to do it manually using ldapmodify.
rob
freeipa-users@lists.fedorahosted.org