2 of our 3 IPA servers are exposed to the Internet. However we have a host 
firewall that limits the hosts that can access us. We use iptables with an 
ipset. I have a cron job that dumps a list of hosts known to IPA and adds them 
to the ipset. So basically we’ll only accept connections from hosts that we 
know about. That was easier for us to manage than to do things on a network 
basis, since we’ve got hosts in lots of subnets. I use the kdcproxy for working 
at home.

Initially I thought we’d expose the IPA web interface. But in the end users 
normally do things with custom web applications I’ve written, so we didn’t need 
to make the IPA web app available. My web application runs on a different 
server.

> On May 21, 2019, at 12:48 PM, Stepan Vardanyan via FreeIPA-users 
> <freeipa-users@lists.fedorahosted.org> wrote:
> 
> Hi Natxo, 
> 
>> A vpn between data centers is a best practice. It does not have to be very
>> complex or expensive, openvpn comes to mind, but if you have no experience
>> with vpns I can understand that they can look very hard.
> I have enough experience with OpenVPN) The problem is that we have dozens of 
> AWS accounts (or datacenters) so openvpn server should be set up in every 
> account with proper monitoring, because if VPN fail authentication stop 
> working (sssd cache save some time but it's still one point of failure). 
> Things get worse if we stick with private DNS zone in FreeIPA. This requires 
> setup local DNS forwarding in every AWS account. Maintaining this is pretty 
> hard.
> 
>> This is ok, I would probably bump tls to 1.2 but you may have applications
>> that do not work properly with that so you know better ;-)
> You guess correct) Some legacy applications still in place and they binded to 
> LDAP
> 
>> Take a look at the 'Security hardening' section of the documentation:
>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
> Thanks. WIll take a look
> 
>> This is a bit unclear. All objects in the ldap servers are replicated (all
>> ldap servers are masters).
>> 
>> You do not need to open the whole internet to your environmnent, you can
>> firewall everything but the hosts that need authenticating/authorizing.
> The problem is that AWS is kind of dynamic. If host not use elastic IP 
> (static), but public it will change after instance started and stopped. 
> Firewalling AWS hosts would be nightmare)
> As for HTTP. We would like to keep LDAP consistent. Actually we want master 
> slave schema, trying to achieve it with that dirty way. Problem with multi 
> master is that it give possibility for replication conflicts when 
> simultaneous changes of one object from different replica take place. Even 
> RFC exists which describe it 
> https://tools.ietf.org/html/draft-zeilenga-ldup-harmful-00
> 
> Thanks.
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to