Hello,
I've proposed to migrate from OpenLDAP to FreeIPA solution in my organization because the former did not met our requirements as we moving to Single Sign On. We migrated to FreeIPA but set it up with internal DNS name. This was dumb decision as we have a lot of external hosts in AWS and other datacenters which we want to join to our FreeIPA for authentication with one credential and utilize policies (HBAC, sudoers) easily and centrally.
We found that there is two solutions:
- setup tunnels between AWS and datacenters for making our DNS zone and FreeIPA servers available;
- redeploy whole FreeIPA with external DNS name and expose FreeIPA servers to Internet.
We end up with second option because first one is very complex, but second option make us think about security.
What came to mind is:
- disable anonymous bind;
- prohibit unencrypted traffic and improve communications security by using options: nsslapd-minssf=128, nsslapd-require-secure-binds=on, sslVersionMin=TLS1.1.
So, there is several questions:
1) Is there anything else from security perspective that we should care, configure properly (Kerberos DC for example)?
2) We want to share with users only one Web service from specific replica so users will not cause replication conflicts by modifying entries in other replicas. Is it ok if we close web ports (80, 443) only to localhost on other replicas and leave all other ports on all replicas opened to internet (389,636,88,464)?
3) How secure and strong is default SASL/GSSAPI replication mechanism? I've noticed that traffic is encrypted but can be decrypted by using servers kerberos keytab
4) Overall, even with all previous concerns taken into account cared is it proper to open FreeIPA to internet? This is kinda rhetorical question as we see that this is only choice for us but just want to hear some advices, expert vision.
P.S. We don't utilize FreeIPA internal DNS service. DNS is configured on external hosts
Thanks in advance.